mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 13:09:50 +00:00
Code Issues Projects Releases Wiki Activity

cups CVE-2011-3170

Browse Source 
the patch come from:
http://cups.org/strfiles/3914/str3914.patch

The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and
earlier does not properly handle the first code word in an LZW stream,
which allows remote attackers to trigger a heap-based buffer overflow,
and possibly execute arbitrary code, via a crafted stream, a different
vulnerability than CVE-2011-2896.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170

[YOCTO #3583]
[ CQID: WIND00299594 ]
Upstream-Status: Backport

(From OE-Core rev: c82517bb667484854eaa05b6e9efd9ee0f164fec)

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Li Wang
2012-12-13 15:24:07 +08:00
committed by Richard Purdie
parent cdb398935e
commit c511d0eb40
2 changed files with 56 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-3170.patch
+54
View File
@@ -0,0 +1,54 @@
cups CVE-2011-3170
the patch come from:
http://cups.org/strfiles/3914/str3914.patch
The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and
earlier does not properly handle the first code word in an LZW stream,
which allows remote attackers to trigger a heap-based buffer overflow,
and possibly execute arbitrary code, via a crafted stream, a different
vulnerability than CVE-2011-2896.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170
Integrated-by: Li Wang <li.wang@windriver.com>
---
filter/image-gif.c | 14 +++++++++-----
1 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/filter/image-gif.c b/filter/image-gif.c
index 9542704..3857c21 100644
--- a/filter/image-gif.c
+++ b/filter/image-gif.c
@@ -654,11 +654,13 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
if (code >= max_code)
{
- *sp++ = firstcode;
- code = oldcode;
+ if (sp < (stack + 8192))
+ *sp++ = firstcode;
+
+ code = oldcode;
}
- while (code >= clear_code)
+ while (code >= clear_code && sp < (stack + 8192))
{
*sp++ = table[1][code];
if (code == table[0][code])
@@ -667,8 +669,10 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
code = table[0][code];
}
- *sp++ = firstcode = table[1][code];
- code = max_code;
+ if (sp < (stack + 8192))
+ *sp++ = firstcode = table[1][code];
+
+ code = max_code;
if (code < 4096)
{
--
1.7.0.5
meta/recipes-extended/cups/cups_1.4.6.bb
+2 -1
View File
@@ -1,6 +1,6 @@
require cups14.inc require cups14.inc
PR = "r8" PR = "r9"
DEPENDS += "libusb \ DEPENDS += "libusb \
${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
@@ -10,6 +10,7 @@ SRC_URI += " \
file://0001-don-t-try-to-run-generated-binaries.patch \ file://0001-don-t-try-to-run-generated-binaries.patch \
file://cups_serverbin.patch \ file://cups_serverbin.patch \
file://cups-CVE-2011-2896.patch \ file://cups-CVE-2011-2896.patch \
file://cups-CVE-2011-3170.patch \
file://cups-CVE-2012-5519.patch \ file://cups-CVE-2012-5519.patch \
" "