Security bump, see bug #217232. Also fixes bug #217293.

(Portage version: 2.1.5_rc3)

4 files changed, 144 insertions, 23 deletions

diff --git a/net-print/cups/files/cups-1.2.12-CVE-2008-1722.patch b/net-print/cups/files/cups-1.2.12-CVE-2008-1722.patch
new file mode 100644
index 000000000000..dad7dd083aea
--- /dev/null
+++ b/net-print/cups/files/cups-1.2.12-CVE-2008-1722.patch
@@ -0,0 +1,62 @@
+diff -Naur cups-1.2.12/filter/image-png.c cups-1.2.12.new/filter/image-png.c
+--- cups-1.2.12/filter/image-png.c	2006-05-11 13:41:36.000000000 +0200
++++ cups-1.2.12.new/filter/image-png.c	2008-04-14 15:46:35.665695675 +0200
+@@ -179,16 +179,56 @@
+     * Interlaced images must be loaded all at once...
+     */
+ 
++    size_t bufsize;			/* Size of buffer */
++
++
+     if (color_type == PNG_COLOR_TYPE_GRAY ||
+ 	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+-      in = malloc(img->xsize * img->ysize);
++    {
++      bufsize = img->xsize * img->ysize;
++
++      if ((bufsize / img->ysize) != img->xsize)
++      {
++	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++		(unsigned)width, (unsigned)height);
++	fclose(fp);
++	return (1);
++      }
++    }
+     else
+-      in = malloc(img->xsize * img->ysize * 3);
++    {
++      bufsize = img->xsize * img->ysize * 3;
++
++      if ((bufsize / (img->ysize * 3)) != img->xsize)
++      {
++	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++		(unsigned)width, (unsigned)height);
++	fclose(fp);
++	return (1);
++      }
++    }
++
++    in = malloc(bufsize);
+   }
+ 
+   bpp = cupsImageGetDepth(img);
+   out = malloc(img->xsize * bpp);
+ 
++  if (!in || !out)
++  {
++    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
++
++    if (in)
++      free(in);
++
++    if (out)
++      free(out);
++
++    fclose(fp);
++
++    return (1);
++  }
++
+  /*
+   * Read the image, interlacing as needed...
+   */
diff --git a/net-print/cups/files/cups-1.3.6-CVE-2008-1373.patch b/net-print/cups/files/cups-1.3.6-CVE-2008-1373.patch
deleted file mode 100644
index 8a7383f4e096..000000000000
--- a/net-print/cups/files/cups-1.3.6-CVE-2008-1373.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Index: cups-1.3.6/filter/image-gif.c
-===================================================================
---- cups-1.3.6.orig/filter/image-gif.c
-+++ cups-1.3.6/filter/image-gif.c
-@@ -38,6 +38,8 @@
- #define GIF_INTERLACE	0x40
- #define GIF_COLORMAP	0x80
- 
-+#define MAX_LWZ_BITS	12
-+
- typedef cups_ib_t	gif_cmap_t[256][4];
- typedef short		gif_table_t[4096];
- 
-@@ -462,6 +464,9 @@ gif_read_image(FILE         *fp,	/* I - 
-   pass      = 0;
-   code_size = getc(fp);
- 
-+  if (code_size > MAX_LWZ_BITS)
-+    return (-1);
-+
-   if (!pixels)
-     return (-1);
- 
diff --git a/net-print/cups/files/cups-1.3.7-CVE-2008-1722.patch b/net-print/cups/files/cups-1.3.7-CVE-2008-1722.patch
new file mode 100644
index 000000000000..908134c47ee4
--- /dev/null
+++ b/net-print/cups/files/cups-1.3.7-CVE-2008-1722.patch
@@ -0,0 +1,71 @@
+diff -Naur cups-1.3.7/filter/image-png.c cups-1.3.7.new/filter/image-png.c
+--- cups-1.3.7/filter/image-png.c	2007-07-11 23:46:42.000000000 +0200
++++ cups-1.3.7.new/filter/image-png.c	2008-04-14 15:48:56.641188980 +0200
+@@ -3,7 +3,7 @@
+  *
+  *   PNG image routines for the Common UNIX Printing System (CUPS).
+  *
+- *   Copyright 2007 by Apple Inc.
++ *   Copyright 2007-2008 by Apple Inc.
+  *   Copyright 1993-2007 by Easy Software Products.
+  *
+  *   These coded instructions, statements, and computer programs are the
+@@ -170,16 +170,56 @@
+     * Interlaced images must be loaded all at once...
+     */
+ 
++    size_t bufsize;			/* Size of buffer */
++
++
+     if (color_type == PNG_COLOR_TYPE_GRAY ||
+ 	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+-      in = malloc(img->xsize * img->ysize);
++    {
++      bufsize = img->xsize * img->ysize;
++
++      if ((bufsize / img->ysize) != img->xsize)
++      {
++	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++		(unsigned)width, (unsigned)height);
++	fclose(fp);
++	return (1);
++      }
++    }
+     else
+-      in = malloc(img->xsize * img->ysize * 3);
++    {
++      bufsize = img->xsize * img->ysize * 3;
++
++      if ((bufsize / (img->ysize * 3)) != img->xsize)
++      {
++	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++		(unsigned)width, (unsigned)height);
++	fclose(fp);
++	return (1);
++      }
++    }
++
++    in = malloc(bufsize);
+   }
+ 
+   bpp = cupsImageGetDepth(img);
+   out = malloc(img->xsize * bpp);
+ 
++  if (!in || !out)
++  {
++    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
++
++    if (in)
++      free(in);
++
++    if (out)
++      free(out);
++
++    fclose(fp);
++
++    return (1);
++  }
++
+  /*
+   * Read the image, interlacing as needed...
+   */
diff --git a/net-print/cups/files/cups-1.3.7-backend-https.patch b/net-print/cups/files/cups-1.3.7-backend-https.patch
new file mode 100644
index 000000000000..44706b3e4a24
--- /dev/null
+++ b/net-print/cups/files/cups-1.3.7-backend-https.patch
@@ -0,0 +1,11 @@
+diff -Naur cups-1.3.7/backend/Makefile cups-1.3.7.new/backend/Makefile
+--- cups-1.3.7/backend/Makefile	2007-08-08 21:27:51.000000000 +0200
++++ cups-1.3.7.new/backend/Makefile	2008-04-14 16:42:18.106785330 +0200
+@@ -62,6 +62,7 @@
+ 	done
+ 	$(RM) $(SERVERBIN)/backend/http
+ 	$(LN) ipp $(SERVERBIN)/backend/http
++	$(LN) ipp $(SERVERBIN)/backend/https
+ 	if test "x$(SYMROOT)" != "x"; then \
+ 		$(INSTALL_DIR) $(SYMROOT); \
+ 		for file in $(TARGETS); do \