File: 0017-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch

package info (click to toggle)

cups 2.4.10-3%2Bdeb13u2

links: PTS, VCS
area: main
in suites: trixie
size: 34,580 kB
sloc: ansic: 159,552; cpp: 8,666; sh: 5,479; makefile: 2,783; php: 17; python: 10

file content (52 lines) | stat: -rw-r--r-- 1,563 bytes

From: Thorsten Alteholz <debian@alteholz.de>
Date: Wed, 10 Sep 2025 11:05:30 +0200
Subject: fix remote DoS via null dereference

---
 cups/ipp.c | 26 +-------------------------
 1 file changed, 1 insertion(+), 25 deletions(-)

Index: cups-2.4.10/cups/ipp.c
===================================================================
--- cups-2.4.10.orig/cups/ipp.c	2025-09-10 11:25:47.275881427 +0200
+++ cups-2.4.10/cups/ipp.c	2025-09-10 12:33:15.653213317 +0200
@@ -2949,31 +2949,6 @@
 	  */
 
           tag = (ipp_tag_t)buffer[0];
-          if (tag == IPP_TAG_EXTENSION)
-          {
-           /*
-            * Read 32-bit "extension" tag...
-            */
-
-	    if ((*cb)(src, buffer, 4) < 4)
-	    {
-	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
-	      goto rollback;
-	    }
-
-	    tag = (ipp_tag_t)((buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3]);
-
-            if (tag & IPP_TAG_CUPS_CONST)
-            {
-             /*
-              * Fail if the high bit is set in the tag...
-              */
-
-	      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
-	      DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
-	      goto rollback;
-            }
-          }
 
 	  if (tag == IPP_TAG_END)
 	  {
@@ -3196,6 +3171,7 @@
 
 	    if ((*cb)(src, buffer, (size_t)n) < n)
 	    {
+              _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
 	      DEBUG_puts("1ippReadIO: unable to read name.");
 	      goto rollback;
 	    }