From 98266ca12cf27a2fe41697a1834f8668c412abf1 Mon Sep 17 00:00:00 2001
From: jasper <jasper@openbsd.org>
Date: Wed, 4 Mar 2009 19:50:00 +0000
Subject: [PATCH] Security fix for CVE-2008-5183. Patch adapted from Red Hat's
 solution.

ok ajacoutot@ (MAINTAINER)
---
 print/cups/Makefile                           |  4 +-
 print/cups/patches/patch-desktop_cups_desktop |  4 +-
 print/cups/patches/patch-scheduler_ipp_c      | 60 ++++++++++++++++++
 .../patches/patch-scheduler_subscriptions_c   | 63 +++++++++++++++++++
 .../patch-test_4_4-subscription-ops_test      | 41 ++++++++++++
 .../cups/patches/patch-test_run-stp-tests_sh  | 21 +++++--
 6 files changed, 185 insertions(+), 8 deletions(-)
 create mode 100644 print/cups/patches/patch-scheduler_ipp_c
 create mode 100644 print/cups/patches/patch-scheduler_subscriptions_c
 create mode 100644 print/cups/patches/patch-test_4_4-subscription-ops_test

diff --git a/print/cups/Makefile b/print/cups/Makefile
index 56608a957a0..d5fd5a28d89 100644
--- a/print/cups/Makefile
+++ b/print/cups/Makefile
@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.37 2008/11/19 05:28:30 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.38 2009/03/04 19:50:00 jasper Exp $
 
 COMMENT=		Common Unix Printing System
 
 VERSION=		1.2.7
 DISTNAME=		cups-${VERSION}-source
-PKGNAME=		cups-${VERSION}p14
+PKGNAME=		cups-${VERSION}p15
 CATEGORIES=		print sysutils
 
 SHARED_LIBS+=		cups		3.0
diff --git a/print/cups/patches/patch-desktop_cups_desktop b/print/cups/patches/patch-desktop_cups_desktop
index 7ebe6b360c9..70d9c706315 100644
--- a/print/cups/patches/patch-desktop_cups_desktop
+++ b/print/cups/patches/patch-desktop_cups_desktop
@@ -1,6 +1,6 @@
-$OpenBSD: patch-desktop_cups_desktop,v 1.2 2009/02/15 18:57:27 jasper Exp $
+$OpenBSD: patch-desktop_cups_desktop,v 1.3 2009/03/04 19:50:00 jasper Exp $
 --- desktop/cups.desktop.orig	Thu Nov 16 14:34:44 2006
-+++ desktop/cups.desktop	Sun Feb 15 19:56:59 2009
++++ desktop/cups.desktop	Fri Feb 27 11:23:26 2009
 @@ -1,7 +1,7 @@
  [Desktop Entry]
  Categories=Application;System;X-Red-Hat-Base;
diff --git a/print/cups/patches/patch-scheduler_ipp_c b/print/cups/patches/patch-scheduler_ipp_c
new file mode 100644
index 00000000000..772b517ba4c
--- /dev/null
+++ b/print/cups/patches/patch-scheduler_ipp_c
@@ -0,0 +1,60 @@
+$OpenBSD: patch-scheduler_ipp_c,v 1.1 2009/03/04 19:50:00 jasper Exp $
+
+Security fix for CVE-2008-5183.
+Patch adapted from Red Hat's solution.
+
+--- scheduler/ipp.c.orig	Fri Oct 20 22:35:41 2006
++++ scheduler/ipp.c	Fri Feb 27 11:32:27 2009
+@@ -1888,24 +1888,25 @@ add_job_subscriptions(
+     if (mask == CUPSD_EVENT_NONE)
+       mask = CUPSD_EVENT_JOB_COMPLETED;
+ 
+-    sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient,
+-                               0);
++    if ((sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job,
++                                    recipient, 0)) != NULL)
++    {
++      sub->interval = interval;
+ 
+-    sub->interval = interval;
++      cupsdSetString(&sub->owner, job->username);
+ 
+-    cupsdSetString(&sub->owner, job->username);
++      if (user_data)
++      {
++	sub->user_data_len = user_data->values[0].unknown.length;
++	memcpy(sub->user_data, user_data->values[0].unknown.data,
++	       sub->user_data_len);
++      }
+ 
+-    if (user_data)
+-    {
+-      sub->user_data_len = user_data->values[0].unknown.length;
+-      memcpy(sub->user_data, user_data->values[0].unknown.data,
+-             sub->user_data_len);
++      ippAddSeparator(con->response);
++      ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
++		    "notify-subscription-id", sub->id);
+     }
+ 
+-    ippAddSeparator(con->response);
+-    ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
+-                  "notify-subscription-id", sub->id);
+-
+     if (attr)
+       attr = attr->next;
+   }
+@@ -4939,7 +4940,12 @@ create_subscription(
+     else
+       job = NULL;
+ 
+-    sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
++    if ((sub = cupsdAddSubscription(mask, printer, job, recipient, 0)) == NULL)
++    {
++      send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
++		      _("There are too many subscriptions."));
++      return;
++    }
+ 
+     if (job)
+       cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d",
diff --git a/print/cups/patches/patch-scheduler_subscriptions_c b/print/cups/patches/patch-scheduler_subscriptions_c
new file mode 100644
index 00000000000..6f0fdc52c47
--- /dev/null
+++ b/print/cups/patches/patch-scheduler_subscriptions_c
@@ -0,0 +1,63 @@
+$OpenBSD: patch-scheduler_subscriptions_c,v 1.1 2009/03/04 19:50:00 jasper Exp $
+
+Security fix for CVE-2008-5183.
+Patch adapted from Red Hat's solution.
+
+--- scheduler/subscriptions.c.orig	Fri Sep 29 04:26:29 2006
++++ scheduler/subscriptions.c	Fri Feb 27 11:31:46 2009
+@@ -349,8 +349,54 @@ cupsdAddSubscription(
+   * Limit the number of subscriptions...
+   */
+ 
+-  if (cupsArrayCount(Subscriptions) >= MaxSubscriptions)
++  if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >= MaxSubscriptions)
++  {
++    cupsdLogMessage(CUPSD_LOG_DEBUG,
++                    "cupsdAddSubscription: Reached MaxSubscriptions %d",
++		    MaxSubscriptions);
+     return (NULL);
++  }
++
++  if (MaxSubscriptionsPerJob > 0 && job)
++  {
++    int        count;			       /* Number of job subscriptions */
++
++    for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
++	     count = 0;
++	 temp;
++	temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
++      if (temp->job == job)
++	count ++;
++
++    if (count >= MaxSubscriptionsPerJob)
++    {
++      cupsdLogMessage(CUPSD_LOG_DEBUG,
++		     "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d "
++		     "for job #%d", MaxSubscriptionsPerJob, job->id);
++      return (NULL);
++    }
++  }
++
++  if (MaxSubscriptionsPerPrinter > 0 && dest)
++  {
++    int        count;			       /* Number of printer subscriptions */
++
++    for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
++	     count = 0;
++	 temp;
++	temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
++      if (temp->dest == dest)
++	count ++;
++
++    if (count >= MaxSubscriptionsPerPrinter)
++    {
++      cupsdLogMessage(CUPSD_LOG_DEBUG,
++		     "cupsdAddSubscription: Reached "
++		     "MaxSubscriptionsPerPrinter %d for %s",
++		     MaxSubscriptionsPerPrinter, dest->name);
++      return (NULL);
++    }
++  }
+ 
+  /*
+   * Allocate memory for this subscription...
diff --git a/print/cups/patches/patch-test_4_4-subscription-ops_test b/print/cups/patches/patch-test_4_4-subscription-ops_test
new file mode 100644
index 00000000000..682332f4a51
--- /dev/null
+++ b/print/cups/patches/patch-test_4_4-subscription-ops_test
@@ -0,0 +1,41 @@
+$OpenBSD: patch-test_4_4-subscription-ops_test,v 1.1 2009/03/04 19:50:00 jasper Exp $
+
+Security fix for CVE-2008-5183.
+Patch adapted from Red Hat's solution.
+
+*** test/4.4-subscription-ops.test.orig	Wed Aug 16 22:05:58 2006
+--- test/4.4-subscription-ops.test	Fri Feb 27 11:26:51 2009
+***************
+*** 117,120 ****
+--- 117,147 ----
+  	DISPLAY notify-events
+  }
++ {
++        # The name of the test...
++        NAME "Check MaxSubscriptions limits"
++ 
++        # The operation to use
++        OPERATION Create-Printer-Subscription
++        RESOURCE /
++ 
++        # The attributes to send
++        GROUP operation
++        ATTR charset attributes-charset utf-8
++        ATTR language attributes-natural-language en
++        ATTR uri printer-uri $method://$hostname:$port/printers/Test1
++ 
++ 	GROUP subscription
++        ATTR uri notify-recipient-uri testnotify://
++        ATTR keyword notify-events printer-state-changed
++        ATTR integer notify-lease-duration 5
++ 
++        # What statuses are OK?
++        STATUS client-error-too-many-subscriptions
++ 
++        # What attributes do we expect?
++        EXPECT attributes-charset
++        EXPECT attributes-natural-language
++ }
++ 
+  
+  #
diff --git a/print/cups/patches/patch-test_run-stp-tests_sh b/print/cups/patches/patch-test_run-stp-tests_sh
index adfd8c6824c..0bc9a9bd85d 100644
--- a/print/cups/patches/patch-test_run-stp-tests_sh
+++ b/print/cups/patches/patch-test_run-stp-tests_sh
@@ -1,6 +1,11 @@
-$OpenBSD: patch-test_run-stp-tests_sh,v 1.3 2007/03/17 18:28:02 deanna Exp $
---- test/run-stp-tests.sh.orig	Wed Nov 15 15:37:45 2006
-+++ test/run-stp-tests.sh	Fri Mar 16 16:50:33 2007
+$OpenBSD: patch-test_run-stp-tests_sh,v 1.4 2009/03/04 19:50:00 jasper Exp $
+
+Second chunk of this patch:
+Security fix for CVE-2008-5183.
+Patch adapted from Red Hat's solution.
+
+--- test/run-stp-tests.sh.orig	Wed Nov 15 21:37:45 2006
++++ test/run-stp-tests.sh	Fri Feb 27 11:25:28 2009
 @@ -30,7 +30,7 @@ argcount=$#
  # Make the IPP test program...
  #
@@ -10,7 +15,15 @@ $OpenBSD: patch-test_run-stp-tests_sh,v 1.3 2007/03/17 18:28:02 deanna Exp $
  
  #
  # Figure out the proper echo options...
-@@ -373,7 +373,7 @@ fi
+@@ -294,6 +294,7 @@ FontPath /tmp/cups-$user/share/fonts
+ DocumentRoot $root/doc
+ RequestRoot /tmp/cups-$user/spool
+ TempDir /tmp/cups-$user/spool/temp
++MaxSubscriptions 3
+ MaxLogSize 0
+ AccessLog /tmp/cups-$user/log/access_log
+ ErrorLog /tmp/cups-$user/log/error_log
+@@ -373,7 +374,7 @@ fi
  
  export LD_LIBRARY_PATH