merge patched-debian/buster into debian/buster

7 files changed, 93 insertions, 11 deletions

diff --git a/cups/ipp.c b/cups/ipp.c
index 98b499716..4ebb1da9c 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -2960,7 +2960,7 @@ ippReadIO(void       *src,		/* I - Data source */
             * Read 32-bit "extension" tag...
             */
 
-	    if ((*cb)(src, buffer, 4) < 1)
+	    if ((*cb)(src, buffer, 4) < 4)
 	    {
 	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
 	      _cupsBufferRelease((char *)buffer);
diff --git a/cups/ppd.c b/cups/ppd.c
index b823d17b4..8d3eb8a3b 100644
--- a/cups/ppd.c
+++ b/cups/ppd.c
@@ -1705,8 +1705,7 @@ _ppdOpen(
                      constraint->choice1, constraint->option2,
 		     constraint->choice2))
       {
-        case 0 : /* Error */
-	case 1 : /* Error */
+        default : /* Error */
 	    pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
 	    goto error;
 
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 7a5dffa9d..fd104f21b 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-1b21a83376cee1f213faf7f4b4d89dd766c28975
-1b21a83376cee1f213faf7f4b4d89dd766c28975
+f1b7b7e074291c85366a60f7a197dea19e62c9cf
+f1b7b7e074291c85366a60f7a197dea19e62c9cf
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 cups_2.2.10.orig.tar.gz
diff --git a/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch b/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
new file mode 100644
index 000000000..9e2c808e1
--- /dev/null
+++ b/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
@@ -0,0 +1,56 @@
+From 1668f3bdc68101d44d0d18c85ba3e6572b517ff4 Mon Sep 17 00:00:00 2001
+From: Stephan Zeisberg <stephan.zeisberg@splone.com>
+Date: Fri, 10 Apr 2020 17:14:34 +0200
+Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
+ =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ cups/ppd.c           |  3 +--
+ ppdc/ppdc-source.cxx | 14 ++++++++------
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index b823d17b4..8d3eb8a3b 100644
+--- a/cups/ppd.c
++++ b/cups/ppd.c
+@@ -1705,8 +1705,7 @@ _ppdOpen(
+                      constraint->choice1, constraint->option2,
+ 		     constraint->choice2))
+       {
+-        case 0 : /* Error */
+-	case 1 : /* Error */
++        default : /* Error */
+ 	    pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+ 	    goto error;
+ 
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index 5add81002..383f0183d 100644
+--- a/ppdc/ppdc-source.cxx
++++ b/ppdc/ppdc-source.cxx
+@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read
+ 
+   switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
+   {
+-    case 0 :
+-        _cupsLangPrintf(stderr,
+-	                _("ppdc: Bad resolution name \"%s\" on line %d of "
+-			  "%s."), name, fp->line, fp->filename);
+-        break;
+     case 1 :
+         ydpi = xdpi;
+ 	break;
+-  }
++    case 2 :
++        break;
++    default :
++        _cupsLangPrintf(stderr,
++                  _("ppdc: Bad resolution name \"%s\" on line %d of "
++        "%s."), name, fp->line, fp->filename);
++        break;
++}
+ 
+   // Create the necessary PS commands...
+   snprintf(command, sizeof(command),
diff --git a/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch b/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
new file mode 100644
index 000000000..b46bd1b92
--- /dev/null
+++ b/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
@@ -0,0 +1,23 @@
+From f1b7b7e074291c85366a60f7a197dea19e62c9cf Mon Sep 17 00:00:00 2001
+From: Didier Raboud <odyx@debian.org>
+Date: Sat, 25 Apr 2020 16:02:12 +0200
+Subject: CVE-2019-8842: The `ippReadIO` function may under-read an extension
+ field
+
+---
+ cups/ipp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 98b499716..4ebb1da9c 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2960,7 +2960,7 @@ ippReadIO(void       *src,		/* I - Data source */
+             * Read 32-bit "extension" tag...
+             */
+ 
+-	    if ((*cb)(src, buffer, 4) < 1)
++	    if ((*cb)(src, buffer, 4) < 4)
+ 	    {
+ 	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+ 	      _cupsBufferRelease((char *)buffer);
diff --git a/debian/patches/series b/debian/patches/series
index 89f9d0382..789ca3ada 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -47,3 +47,5 @@ manpage-translations.patch
 0047-Fix-multiple-security-disclosure-issues.patch
 0048-Fix-memory-leak-in-ppdOpen.patch
 0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
+0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
+0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
index 5add81002..383f0183d 100644
--- a/ppdc/ppdc-source.cxx
+++ b/ppdc/ppdc-source.cxx
@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read
 
   switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
   {
-    case 0 :
-        _cupsLangPrintf(stderr,
-	                _("ppdc: Bad resolution name \"%s\" on line %d of "
-			  "%s."), name, fp->line, fp->filename);
-        break;
     case 1 :
         ydpi = xdpi;
 	break;
-  }
+    case 2 :
+        break;
+    default :
+        _cupsLangPrintf(stderr,
+                  _("ppdc: Bad resolution name \"%s\" on line %d of "
+        "%s."), name, fp->line, fp->filename);
+        break;
+}
 
   // Create the necessary PS commands...
   snprintf(command, sizeof(command),