diff options
| author | Martin Wilke <miwi@FreeBSD.org> | 2008-11-29 15:37:38 +0000 |
|---|---|---|
| committer | Martin Wilke <miwi@FreeBSD.org> | 2008-11-29 15:37:38 +0000 |
| commit | 01bc57d2592c52cfa30105b615372ec0bb5e26fb (patch) | |
| tree | 5189479d0fca0d192f73bb02fb45fe21c9c206f5 /print/hplip | |
| parent | 63beade619e957fd92f42930e74caa9d61f415f2 (diff) | |
| download | ports-01bc57d2592c52cfa30105b615372ec0bb5e26fb.tar.gz ports-01bc57d2592c52cfa30105b615372ec0bb5e26fb.zip | |
Notes
Diffstat (limited to 'print/hplip')
| -rw-r--r-- | print/hplip/files/patch-CVE-2008-2940 | 74 | ||||
| -rw-r--r-- | print/hplip/files/patch-CVE-2008-2941 | 210 |
2 files changed, 284 insertions, 0 deletions
diff --git a/print/hplip/files/patch-CVE-2008-2940 b/print/hplip/files/patch-CVE-2008-2940 new file mode 100644 index 000000000000..dbe14fa417e8 --- /dev/null +++ b/print/hplip/files/patch-CVE-2008-2940 @@ -0,0 +1,74 @@ +Patch for CVE-2008-2940 + +Please note that alerts are now system-wide and they live in +/etc/hp/alerts.conf + +See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2940 +Obtained from: https://bugzilla.redhat.com/attachment.cgi?id=312878 +Obtained from: https://bugzilla.redhat.com/attachment.cgi?id=312880 + +diff -up hplip-1.6.7/hpssd.py.validate-uri hplip-1.6.7/hpssd.py +--- hpssd.py.validate-uri 2008-07-29 12:48:28.000000000 +0100 ++++ hpssd.py 2008-07-29 13:41:29.000000000 +0100 +@@ -1021,6 +1021,9 @@ class hpssd_handler(dispatcher): + event_type = self.fields.get('event-type', 'event') + event_code = self.fields.get('event-code', 0) + device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:') ++ result_code = self.__checkdevice(device_uri) ++ if result_code != ERROR_SUCCESS: ++ return + log.debug("Device URI: %s" % device_uri) + + try: +diff -up hplip-1.6.7/base/g.py.static-alerts-table hplip-1.6.7/base/g.py +--- base/g.py.orig 2008-01-18 02:10:29.000000000 +0300 ++++ base/g.py 2008-11-23 22:39:11.000000000 +0300 +@@ -134,6 +134,7 @@ + # Config file: directories and ports + prop.sys_config_file = '/etc/hp/hplip.conf' + prop.user_dir = os.path.expanduser('~/.hplip') ++prop.alerts_config_file = '/etc/hp/alerts.conf' + + os.umask(0037) + try: +@@ -154,6 +155,7 @@ + + sys_cfg = Config(prop.sys_config_file, True) + user_cfg = Config(prop.user_config_file) ++alerts_cfg = Config(prop.alerts_config_file) + + + # Language settings +diff -up hplip-1.6.7/hpssd.py.static-alerts-table hplip-1.6.7/hpssd.py +--- hpssd.py.static-alerts-table 2008-07-29 14:57:04.000000000 +0100 ++++ hpssd.py 2008-07-29 15:22:15.000000000 +0100 +@@ -71,6 +71,12 @@ from prnt import cups + + # Per user alert settings + alerts = {} ++for user, cfg in alerts_cfg.iteritems (): ++ entry = {} ++ entry['email-alerts'] = utils.to_bool (cfg.get('email-alerts', 0)) ++ entry['email-from-address'] = cfg.get('email-from-address', '') ++ entry['email-to-addresses'] = cfg.get('email-to-addresses', '') ++ alerts[user] = entry + + # Fax temp files + fax_file = {} +@@ -803,15 +809,10 @@ class hpssd_handler(dispatcher): + self.out_buffer = buildResultMessage('InjectValueResult', None, result_code) + + +- # TODO: Need to load alerts at start-up + def handle_setalerts(self): + result_code = ERROR_SUCCESS +- username = self.fields.get('username', '') + +- alerts[username] = {'email-alerts' : utils.to_bool(self.fields.get('email-alerts', '0')), +- 'email-from-address' : self.fields.get('email-from-address', ''), +- 'email-to-addresses' : self.fields.get('email-to-addresses', ''), +- } ++ # Do nothing. We use the alerts table in /etc/hp/alerts.conf. + + self.out_buffer = buildResultMessage('SetAlertsResult', None, result_code) + diff --git a/print/hplip/files/patch-CVE-2008-2941 b/print/hplip/files/patch-CVE-2008-2941 new file mode 100644 index 000000000000..f4bb8ee06caa --- /dev/null +++ b/print/hplip/files/patch-CVE-2008-2941 @@ -0,0 +1,210 @@ +Patch for CVE-2008-2941 + +Fixes parser fragility: original code expects only strings or numbers as +the input values, but not both. And hpssd client has the full control +on the input data, so when number is tried to be transformed as string +(by calling lower() method, for example) the unhandled exception +terminates the daemon. + +Based on: https://bugzilla.redhat.com/attachment.cgi?id=312881 + +--- hpssd.py.orig 2008-11-23 22:41:08.000000000 +0300 ++++ hpssd.py 2008-11-23 22:57:51.000000000 +0300 +@@ -203,7 +203,7 @@ + log.debug(self.out_buffer) + return True + +- msg_type = self.fields.get('msg', 'unknown').lower() ++ msg_type = str(self.fields.get('msg', 'unknown')).lower() + log.debug("Handling: %s %s %s" % ("*"*20, msg_type, "*"*20)) + log.debug(repr(self.in_buffer)) + +@@ -260,9 +260,9 @@ + + + def handle_getvalue(self): +- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:') ++ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:') + value = '' +- key = self.fields.get('key', '') ++ key = str(self.fields.get('key', '')) + result_code = self.__checkdevice(device_uri) + + if result_code == ERROR_SUCCESS: +@@ -274,9 +274,9 @@ + self.out_buffer = buildResultMessage('GetValueResult', value, result_code) + + def handle_setvalue(self): +- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:') +- key = self.fields.get('key', '') +- value = self.fields.get('value', '') ++ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:') ++ key = str(self.fields.get('key', '')) ++ value = str(self.fields.get('value', '')) + result_code = self.__checkdevice(device_uri) + + if result_code == ERROR_SUCCESS: +@@ -285,7 +285,7 @@ + self.out_buffer = buildResultMessage('SetValueResult', None, ERROR_SUCCESS) + + def handle_queryhistory(self): +- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:') ++ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:') + payload = '' + result_code = self.__checkdevice(device_uri) + +@@ -305,8 +305,8 @@ + + # EVENT + def handle_registerguievent(self): +- username = self.fields.get('username', '') +- typ = self.fields.get('type', 'unknown') ++ username = str(self.fields.get('username', '')) ++ typ = str(self.fields.get('type', 'unknown')) + self.typ = typ + self.username = username + self.send_events = True +@@ -314,13 +314,13 @@ + + # EVENT + def handle_unregisterguievent(self): +- username = self.fields.get('username', '') ++ username = str(self.fields.get('username', '')) + self.send_events = False + + + def handle_test_email(self): + result_code = ERROR_SUCCESS +- username = self.fields.get('username', prop.username) ++ username = str(self.fields.get('username', prop.username)) + message = device.queryString('email_test_message') + subject = device.queryString('email_test_subject') + result_code = self.sendEmail(username, subject, message, True) +@@ -343,11 +343,14 @@ + + # sent by hpfax: to indicate the start of a complete fax rendering job + def handle_hpfaxbegin(self): +- username = self.fields.get('username', prop.username) +- job_id = self.fields.get('job-id', 0) +- printer_name = self.fields.get('printer', '') +- device_uri = self.fields.get('device-uri', '').replace('hp:', 'hpfax:') +- title = self.fields.get('title', '') ++ username = str(self.fields.get('username', prop.username)) ++ try: ++ job_id = int(self.fields.get('job-id', 0)) ++ except ValueError: ++ job_id = 0 ++ printer_name = str(self.fields.get('printer', '')) ++ device_uri = str(self.fields.get('device-uri', '')).replace('hp:', 'hpfax:') ++ title = str(self.fields.get('title', '')) + + log.debug("Creating data store for %s:%d" % (username, job_id)) + fax_file[(username, job_id)] = tempfile.NamedTemporaryFile(prefix="hpfax") +@@ -360,8 +363,11 @@ + + # sent by hpfax: to transfer completed fax rendering data + def handle_hpfaxdata(self): +- username = self.fields.get('username', prop.username) +- job_id = self.fields.get('job-id', 0) ++ username = str(self.fields.get('username', prop.username)) ++ try: ++ job_id = int(self.fields.get('job-id', 0)) ++ except ValueError: ++ job_id = 0 + + if self.payload and (username, job_id) in fax_file and \ + not fax_file_ready[(username, job_id)]: +@@ -373,12 +379,18 @@ + + # sent by hpfax: to indicate the end of a complete fax rendering job + def handle_hpfaxend(self): +- username = self.fields.get('username', '') +- job_id = self.fields.get('job-id', 0) +- printer_name = self.fields.get('printer', '') +- device_uri = self.fields.get('device-uri', '').replace('hp:', 'hpfax:') +- title = self.fields.get('title', '') +- job_size = self.fields.get('job-size', 0) ++ username = str(self.fields.get('username', '')) ++ try: ++ job_id = int(self.fields.get('job-id', 0)) ++ except ValueError: ++ job_id = 0 ++ printer_name = str(self.fields.get('printer', '')) ++ device_uri = str(self.fields.get('device-uri', '')).replace('hp:', 'hpfax:') ++ title = str(self.fields.get('title', '')) ++ try: ++ job_size = int(self.fields.get('job-size', 0)) ++ except ValueError: ++ job_size = 0 + + fax_file[(username, job_id)].seek(0) + fax_file_ready[(username, job_id)] = True +@@ -389,7 +401,7 @@ + + # sent by hp-sendfax to see if any faxes have been printed and need to be picked up + def handle_faxcheck(self): +- username = self.fields.get('username', '') ++ username = str(self.fields.get('username', '')) + result_code = ERROR_NO_DATA_AVAILABLE + other_fields = {} + +@@ -413,8 +425,11 @@ + # after being run with --job param, both after a hpfaxend message + def handle_faxgetdata(self): + result_code = ERROR_SUCCESS +- username = self.fields.get('username', '') +- job_id = self.fields.get('job-id', 0) ++ username = str(self.fields.get('username', '')) ++ try: ++ job_id = int(self.fields.get('job-id', 0)) ++ except ValueError: ++ job_id = 0 + + try: + fax_file[(username, job_id)] +@@ -442,15 +457,18 @@ + # EVENT + def handle_event(self): + gui_port, gui_host = None, None +- event_type = self.fields.get('event-type', 'event') ++ event_type = str(self.fields.get('event-type', 'event')) + +- event_code = self.fields.get('event-code', STATUS_PRINTER_IDLE) ++ try: ++ event_code = int(self.fields.get('event-code', STATUS_PRINTER_IDLE)) ++ except ValueError: ++ event_code = STATUS_PRINTER_IDLE + + # If event-code > 10001, its a PJL error code, so convert it + if event_code > EVENT_MAX_EVENT: + event_code = status.MapPJLErrorCode(event_code) + +- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:') ++ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:') + result_code = self.__checkdevice(device_uri) + if result_code != ERROR_SUCCESS: + return +@@ -461,7 +479,10 @@ + + log.debug("Short/Long: %s/%s" % (error_string_short, error_string_long)) + +- job_id = self.fields.get('job-id', 0) ++ try: ++ job_id = int(self.fields.get('job-id', 0)) ++ except ValueError: ++ job_id = 0 + + try: + username = self.fields['username'] +@@ -480,7 +501,10 @@ + + no_fwd = utils.to_bool(self.fields.get('no-fwd', '0')) + log.debug("Username (jobid): %s (%d)" % (username, job_id)) +- retry_timeout = self.fields.get('retry-timeout', 0) ++ try: ++ retry_timeout = int(self.fields.get('retry-timeout', 0)) ++ except ValueError: ++ retry_timeout = 0 + user_alerts = alerts.get(username, {}) + + dup_event = False |