aboutsummaryrefslogtreecommitdiffstats
path: root/main/cups/CVE-2022-26691.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/cups/CVE-2022-26691.patch')
-rw-r--r--main/cups/CVE-2022-26691.patch33
1 files changed, 33 insertions, 0 deletions
diff --git a/main/cups/CVE-2022-26691.patch b/main/cups/CVE-2022-26691.patch
new file mode 100644
index 00000000000..d1f2d37ca3b
--- /dev/null
+++ b/main/cups/CVE-2022-26691.patch
@@ -0,0 +1,33 @@
+Patch-Source: https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444
+From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 May 2022 06:27:04 +0200
+Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
+ CVE-2022-26691)
+
+The previous algorithm didn't expect the strings can have a different
+length, so one string can be a substring of the other and such substring
+was reported as equal to the longer string.
+---
+ CHANGES.md | 1 +
+ scheduler/cert.c | 9 ++++++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/scheduler/cert.c b/scheduler/cert.c
+index b268bf1b2..9b65b96c9 100644
+--- a/scheduler/cert.c
++++ b/scheduler/cert.c
+@@ -444,5 +444,12 @@ ctcompare(const char *a, /* I - First string */
+ b ++;
+ }
+
+- return (result);
++ /*
++ * The while loop finishes when *a == '\0' or *b == '\0'
++ * so after the while loop either both *a and *b == '\0',
++ * or one points inside a string, so when we apply logical OR on *a,
++ * *b and result, we get a non-zero return value if the compared strings don't match.
++ */
++
++ return (result | *a | *b);
+ }