Update version to 2.3.3 for:

CVE-2020-3898 - cups/ppd.c, ppdc/ppdc-source.cxx
CVE-2019-8842 - cups/ipp.c: ippReadIO

And build issues due to warnings.

CHANGES.md

@@ -1,6 +1,15 @@
-CHANGES - 2.3.2 - 2019-12-18
+CHANGES - 2.3.3 - 2020-04-24
 ============================
 
+Changes in CUPS v2.3.3
+----------------------
+
+- CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
+ constraint. `ppdcSource::get_resolution` function did not handle
+ invalid resolution strings.
+- CVE-2019-8842: The `ippReadIO` function may under-read an extension
+ field.
+- Fixed WARNING_OPTIONS support for GCC 9.x
 
 Changes in CUPS v2.3.2
 ----------------------

INSTALL.md

@@ -1,4 +1,4 @@
-INSTALL - CUPS v2.3.1 - 2019-12-13
+INSTALL - CUPS v2.3.3 - 2020-04-24
 ==================================
 
 This file describes how to compile and install CUPS from source code. For more

README.md

@@ -1,4 +1,4 @@
-README - CUPS v2.3.1 - 2019-12-13
+README - CUPS v2.3.3 - 2020-04-24
 =================================
 
 INTRODUCTION

config-scripts/cups-compiler.m4

@@ -175,10 +175,8 @@ if test -n "$GCC"; then
  # doesn't trigger...
  gccversion=`$CC --version | head -1 | awk '{print $NF}'`
  case "$gccversion" in
- 1.* | 2.* | 3.* | 4.* | 5.* | 6.* | \(clang-*)
- ;;
- *)
- WARNING_OPTIONS="$WARNING_OPTIONS -Wno-format-truncation -Wno-format-overflow -Wno-tautological-compare"
+ 7.* | 8.*)
+ WARNING_OPTIONS="$WARNING_OPTIONS -Wno-format-truncation -Wno-tautological-compare"
  ;;
  esac
 

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for CUPS 2.3.2.
+# Generated by GNU Autoconf 2.69 for CUPS 2.3.3.
 #
 # Report bugs to <https://github.com/apple/cups/issues>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='CUPS'
 PACKAGE_TARNAME='cups'
-PACKAGE_VERSION='2.3.2'
-PACKAGE_STRING='CUPS 2.3.2'
+PACKAGE_VERSION='2.3.3'
+PACKAGE_STRING='CUPS 2.3.3'
 PACKAGE_BUGREPORT='https://github.com/apple/cups/issues'
 PACKAGE_URL='https://www.cups.org/'
 
@@ -1467,7 +1467,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures CUPS 2.3.2 to adapt to many kinds of systems.
+\`configure' configures CUPS 2.3.3 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1532,7 +1532,7 @@ fi
 
 if test -n "$ac_init_help"; then
  case $ac_init_help in
- short | recursive ) echo "Configuration of CUPS 2.3.2:";;
+ short | recursive ) echo "Configuration of CUPS 2.3.3:";;
  esac
  cat <<\_ACEOF
 
@@ -1713,7 +1713,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-CUPS configure 2.3.2
+CUPS configure 2.3.3
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2177,7 +2177,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by CUPS $as_me 2.3.2, which was
+It was created by CUPS $as_me 2.3.3, which was
 generated by GNU Autoconf 2.69. Invocation command line was
 
  $ $0 $@
@@ -2694,7 +2694,7 @@ done
 ac_config_headers="$ac_config_headers config.h"
 
 
-CUPS_VERSION="2.3.2"
+CUPS_VERSION="2.3.3"
 CUPS_REVISION=""
 CUPS_BUILD="cups-$CUPS_VERSION"
 
@@ -6911,9 +6911,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  # doesn't trigger...
  gccversion=`$CC --version | head -1 | awk '{print $NF}'`
  case "$gccversion" in
- 1.* | 2.* | 3.* | 4.* | 5.* | 6.* | \(clang-*)
- ;;
- *)
+ 7.* | 8.* | 9.*)
  WARNING_OPTIONS="$WARNING_OPTIONS -Wno-format-truncation -Wno-format-overflow -Wno-tautological-compare"
  ;;
  esac
@@ -10387,7 +10385,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by CUPS $as_me 2.3.2, which was
+This file was extended by CUPS $as_me 2.3.3, which was
 generated by GNU Autoconf 2.69. Invocation command line was
 
  CONFIG_FILES = $CONFIG_FILES
@@ -10450,7 +10448,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-CUPS config.status 2.3.2
+CUPS config.status 2.3.3
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -12,7 +12,7 @@ dnl We need at least autoconf 2.60...
 AC_PREREQ(2.60)
 
 dnl Package name and version...
-AC_INIT([CUPS], [2.3.2], [https://github.com/apple/cups/issues], [cups], [https://www.cups.org/])
+AC_INIT([CUPS], [2.3.3], [https://github.com/apple/cups/issues], [cups], [https://www.cups.org/])
 
 sinclude(config-scripts/cups-opsys.m4)
 sinclude(config-scripts/cups-common.m4)

cups/cups.h

@@ -42,10 +42,10 @@ extern "C" {
  * Constants...
  */
 
-# define CUPS_VERSION 2.0302
+# define CUPS_VERSION 2.0303
 # define CUPS_VERSION_MAJOR 2
 # define CUPS_VERSION_MINOR 3
-# define CUPS_VERSION_PATCH 2
+# define CUPS_VERSION_PATCH 3
 
 # define CUPS_BC_FD 3
  /* Back-channel file descriptor for

cups/cupspm.md

@@ -2,7 +2,7 @@
 title: CUPS Programming Manual
 author: Michael R Sweet
 copyright: Copyright © 2007-2019 by Apple Inc. All Rights Reserved.
-version: 2.3.1
+version: 2.3.3
 ...
 
 > Please [file issues on Github](https://github.com/apple/cups/issues) to

cups/ipp.c

@@ -2956,7 +2956,7 @@ ippReadIO(void *src, /* I - Data source */
  * Read 32-bit "extension" tag...
  */
 
- if ((*cb)(src, buffer, 4) < 1)
+ if ((*cb)(src, buffer, 4) < 4)
  {
  DEBUG_puts("1ippReadIO: Callback returned EOF/error");
  _cupsBufferRelease((char *)buffer);

cups/ppd.c

@@ -1719,8 +1719,7 @@ _ppdOpen(
  constraint->choice1, constraint->option2,
  constraint->choice2))
  {
- case 0 : /* Error */
- case 1 : /* Error */
+ default : /* Error */
  pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
  goto error;
 

doc/help/cupspm.html

@@ -8,7 +8,7 @@
  <meta name="creator" content="codedoc v3.1">
  <meta name="author" content="Michael R Sweet">
  <meta name="copyright" content="Copyright &#xa9; 2007-2019 by Apple Inc. All Rights Reserved.">
- <meta name="version" content="2.3.1">
+ <meta name="version" content="2.3.3">
  <style type="text/css"><!--
 body, p, h1, h2, h3, h4 {
  font-family: sans-serif;

locale/cups.pot

@@ -23,7 +23,7 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: CUPS 2.3.1\n"
+"Project-Id-Version: CUPS 2.3.3\n"
 "Report-Msgid-Bugs-To: https://github.com/apple/cups/issues\n"
 "POT-Creation-Date: 2019-12-18 20:19-0500\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"

ppdc/ppdc-source.cxx

@@ -1743,15 +1743,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read
 
  switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
  {
- case 0 :
- _cupsLangPrintf(stderr,
- _("ppdc: Bad resolution name \"%s\" on line %d of "
- "%s."), name, fp->line, fp->filename);
- break;
  case 1 :
  ydpi = xdpi;
- break;
- }
+ break;
+ case 2 :
+ break;
+ default :
+ _cupsLangPrintf(stderr,
+ _("ppdc: Bad resolution name \"%s\" on line %d of "
+ "%s."), name, fp->line, fp->filename);
+ break;
+}
 
  // Create the necessary PS commands...
  snprintf(command, sizeof(command),

scheduler/printers.c

@@ -446,7 +446,7 @@ cupsdCreateCommonData(void)
 
  /* cups-version */
  ippAddString(CommonData, IPP_TAG_PRINTER, IPP_TAG_TEXT | IPP_TAG_COPY,
- "cups-version", NULL, CUPS_SVERSION + 6);
+ "cups-version", NULL, &CUPS_SVERSION[6]);
 
  /* generated-natural-language-supported (no IPP_TAG_COPY) */
  ippAddString(CommonData, IPP_TAG_PRINTER, IPP_TAG_LANGUAGE,

vcnet/config.h

@@ -97,8 +97,8 @@ typedef unsigned long useconds_t;
  * Version of software...
  */
 
-#define CUPS_SVERSION "CUPS v2.3.2"
-#define CUPS_MINIMAL "CUPS/2.3.2"
+#define CUPS_SVERSION "CUPS v2.3.3"
+#define CUPS_MINIMAL "CUPS/2.3.3"
 
 
 /*

xcode/config.h

@@ -18,8 +18,8 @@
  * Version of software...
  */
 
-#define CUPS_SVERSION "CUPS v2.3.2"
-#define CUPS_MINIMAL "CUPS/2.3.2"
+#define CUPS_SVERSION "CUPS v2.3.3"
+#define CUPS_MINIMAL "CUPS/2.3.3"
 
 
 /*