Site Navigation

Date:      Sat, 22 Nov 2008 10:17:59 +0300
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        dinoex@FreeBSD.org
Cc:        freebsd-security@freebsd.org, bug-followup@freebsd.org
Subject:   Re: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference
Message-ID:  <mslL8TJV9/8SqKL0qwbXo8qI2do@iXA9ZWPrtc2I2BMzBXoToMd7YdQ>
In-Reply-To: <200811211846.mALIkCQK092821@freefall.freebsd.org>
References:  <200811211846.mALIkCQK092821@freefall.freebsd.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--ZoaI/ZTpAVc4A5k6
Content-Type: multipart/mixed; boundary="jI8keyz6grp/JLjh"
Content-Disposition: inline


--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Dirk, good day.

Fri, Nov 21, 2008 at 07:46:12PM +0100, dinoex@FreeBSD.org wrote:
> Synopsis: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference
>=20
> State-Changed-From-To: open->feedback
> State-Changed-By: dinoex
> State-Changed-When: Fri Nov 21 19:45:23 CET 2008
> State-Changed-Why:=20
>=20
> The patch do not apply.
[...]
> (Creating file ./files/patch-fix-subscriptions-null-dereference...)
> Patching file ./files/patch-fix-subscriptions-null-dereference using Plan=
 A...
> patch: **** malformed patch at line 24: =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D

Yeah, I think that you run into issue with query-pr.cgi and line
continuations quoted-printable encoding.  I have www/127898, but it
seems to be incomplete in respect to the attachments.  Will try to
extend the patch and post followup to the mentioned PR.

The patch for CUPS is attached, hope it will be delivered in the
unbroken form now.

Sorry for confusion.
--=20
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual  =20
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
    {_.-``-'         {_/            #

--jI8keyz6grp/JLjh
Content-Type: text/x-diff; charset=koi8-r
Content-Disposition: attachment;
	filename="1.3.9-to-1.3.9_1-fix-null-deference-upstream.diff"
Content-Transfer-Encoding: quoted-printable

diff -urN ./Makefile ../cups-base/Makefile
--- ./Makefile	2008-11-20 02:48:10.000000000 +0300
+++ ../cups-base/Makefile	2008-11-20 03:07:03.000000000 +0300
@@ -7,6 +7,7 @@
=20
 PORTNAME=3D	cups
 PORTVERSION=3D	1.3.9
+PORTREVISION=3D	1
 DISTVERSIONSUFFIX=3D	-source
 CATEGORIES=3D	print
 MASTER_SITES=3D	EASYSW/${PORTNAME}/${DISTVERSION}
diff -urN ./files/patch-fix-subscriptions-null-dereference ../cups-base/fil=
es/patch-fix-subscriptions-null-dereference
--- ./files/patch-fix-subscriptions-null-dereference	1970-01-01 03:00:00.00=
0000000 +0300
+++ ../cups-base/files/patch-fix-subscriptions-null-dereference	2008-11-20 =
11:33:59.000000000 +0300
@@ -0,0 +1,179 @@
+Obtained from: Michael Sweet, via oss-security list,
+  http://www.openwall.com/lists/oss-security/2008/11/20/2
+
+Index: test/run-stp-tests.sh
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+--- test/run-stp-tests.sh	(revision 8145)
++++ test/run-stp-tests.sh	(revision 8146)
+@@ -307,6 +307,7 @@
+ DocumentRoot $root/doc
+ RequestRoot /tmp/cups-$user/spool
+ TempDir /tmp/cups-$user/spool/temp
++MaxSubscriptions 3
+ MaxLogSize 0
+ AccessLog /tmp/cups-$user/log/access_log
+ ErrorLog /tmp/cups-$user/log/error_log
+Index: test/4.4-subscription-ops.test
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+--- test/4.4-subscription-ops.test	(revision 8145)
++++ test/4.4-subscription-ops.test	(revision 8146)
+@@ -116,7 +116,33 @@
+ 	EXPECT notify-events
+ 	DISPLAY notify-events
+ }
++{
++	# The name of the test...
++	NAME "Check MaxSubscriptions limits"
+=20
++	# The operation to use
++	OPERATION Create-Printer-Subscription
++	RESOURCE /
++
++	# The attributes to send
++	GROUP operation
++	ATTR charset attributes-charset utf-8
++	ATTR language attributes-natural-language en
++	ATTR uri printer-uri $method://$hostname:$port/printers/Test1
++
++        GROUP subscription
++	ATTR uri notify-recipient-uri testnotify://
++	ATTR keyword notify-events printer-state-changed
++	ATTR integer notify-lease-duration 5
++
++	# What statuses are OK?
++	STATUS client-error-too-many-subscriptions
++
++	# What attributes do we expect?
++	EXPECT attributes-charset
++	EXPECT attributes-natural-language
++}
++
+ #
+ # End of "$Id$"
+ #
+Index: scheduler/subscriptions.c
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+--- scheduler/subscriptions.c	(revision 8145)
++++ scheduler/subscriptions.c	(revision 8146)
+@@ -341,9 +341,55 @@
+   * Limit the number of subscriptions...
+   */
+=20
+-  if (cupsArrayCount(Subscriptions) >=3D MaxSubscriptions)
++  if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >=3D MaxSubsc=
riptions)
++  {
++    cupsdLogMessage(CUPSD_LOG_DEBUG,
++                    "cupsdAddSubscription: Reached MaxSubscriptions %d",
++		    MaxSubscriptions);
+     return (NULL);
++  }
+=20
++  if (MaxSubscriptionsPerJob > 0 && job)
++  {
++    int	count;				/* Number of job subscriptions */
++
++    for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
++             count =3D 0;
++         temp;
++	 temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
++      if (temp->job =3D=3D job)
++        count ++;
++
++    if (count >=3D MaxSubscriptionsPerJob)
++    {
++      cupsdLogMessage(CUPSD_LOG_DEBUG,
++		      "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d "
++		      "for job #%d", MaxSubscriptionsPerJob, job->id);
++      return (NULL);
++    }
++  }
++
++  if (MaxSubscriptionsPerPrinter > 0 && dest)
++  {
++    int	count;				/* Number of printer subscriptions */
++
++    for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
++             count =3D 0;
++         temp;
++	 temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
++      if (temp->dest =3D=3D dest)
++        count ++;
++
++    if (count >=3D MaxSubscriptionsPerPrinter)
++    {
++      cupsdLogMessage(CUPSD_LOG_DEBUG,
++		      "cupsdAddSubscription: Reached "
++		      "MaxSubscriptionsPerPrinter %d for %s",
++		      MaxSubscriptionsPerPrinter, dest->name);
++      return (NULL);
++    }
++  }
++
+  /*
+   * Allocate memory for this subscription...
+   */
+@@ -758,7 +804,6 @@
+       cupsdLogMessage(CUPSD_LOG_ERROR,
+                       "Syntax error on line %d of subscriptions.conf.",
+ 	              linenum);
+-      break;
+     }
+     else if (!strcasecmp(line, "Events"))
+     {
+Index: scheduler/ipp.c
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+--- scheduler/ipp.c	(revision 8145)
++++ scheduler/ipp.c	(revision 8146)
+@@ -2119,24 +2119,25 @@
+     if (mask =3D=3D CUPSD_EVENT_NONE)
+       mask =3D CUPSD_EVENT_JOB_COMPLETED;
+=20
+-    sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, rec=
ipient,
+-                               0);
++    if ((sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job,
++                                    recipient, 0)) !=3D NULL)
++    {
++      sub->interval =3D interval;
+=20
+-    sub->interval =3D interval;
++      cupsdSetString(&sub->owner, job->username);
+=20
+-    cupsdSetString(&sub->owner, job->username);
++      if (user_data)
++      {
++	sub->user_data_len =3D user_data->values[0].unknown.length;
++	memcpy(sub->user_data, user_data->values[0].unknown.data,
++	       sub->user_data_len);
++      }
+=20
+-    if (user_data)
+-    {
+-      sub->user_data_len =3D user_data->values[0].unknown.length;
+-      memcpy(sub->user_data, user_data->values[0].unknown.data,
+-             sub->user_data_len);
++      ippAddSeparator(con->response);
++      ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
++		    "notify-subscription-id", sub->id);
+     }
+=20
+-    ippAddSeparator(con->response);
+-    ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
+-                  "notify-subscription-id", sub->id);
+-
+     if (attr)
+       attr =3D attr->next;
+   }
+@@ -5590,7 +5591,12 @@
+     else
+       job =3D NULL;
+=20
+-    sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0);
++    if ((sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0)) =
=3D=3D NULL)
++    {
++      send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
++		      _("There are too many subscriptions."));
++      return;
++    }
+=20
+     if (job)
+       cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d",

--jI8keyz6grp/JLjh--

--ZoaI/ZTpAVc4A5k6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkknsicACgkQthUKNsbL7YirpACeO5bSamJHFBMfGM2rSUboKdB0
i/MAn05pqGEo34lcfWwllGvbyEFU8J6W
=6nyM
-----END PGP SIGNATURE-----

--ZoaI/ZTpAVc4A5k6--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?mslL8TJV9/8SqKL0qwbXo8qI2do>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact