aboutsummaryrefslogtreecommitdiffstats
path: root/main/cups/CVE-2022-26691.patch
blob: d1f2d37ca3b5b8da5a44e152d1c152c6fdc82755 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Patch-Source: https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444
From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 26 May 2022 06:27:04 +0200
Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
 CVE-2022-26691)

The previous algorithm didn't expect the strings can have a different
length, so one string can be a substring of the other and such substring
was reported as equal to the longer string.
---
 CHANGES.md       | 1 +
 scheduler/cert.c | 9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/scheduler/cert.c b/scheduler/cert.c
index b268bf1b2..9b65b96c9 100644
--- a/scheduler/cert.c
+++ b/scheduler/cert.c
@@ -444,5 +444,12 @@ ctcompare(const char *a,		/* I - First string */
     b ++;
   }
 
-  return (result);
+ /*
+  * The while loop finishes when *a == '\0' or *b == '\0'
+  * so after the while loop either both *a and *b == '\0',
+  * or one points inside a string, so when we apply logical OR on *a,
+  * *b and result, we get a non-zero return value if the compared strings don't match.
+  */
+
+  return (result | *a | *b);
 }