First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 238976
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
cups-1.3.8-CVE-2008-3639.patch cups-1.3.8-CVE-2008-3639.patch patch Robert Buchholz 2008-09-28 21:11 0000 1.07 KB Details | Diff
cups-1.3.8-CVE-2008-3640.patch cups-1.3.8-CVE-2008-3640.patch patch Robert Buchholz 2008-09-28 21:11 0000 2.43 KB Details | Diff
cups-1.3.8-CVE-2008-3641.patch cups-1.3.8-CVE-2008-3641.patch patch Robert Buchholz 2008-09-28 21:12 0000 3.97 KB Details | Diff
cups-1.3.8-r2-overlay.tar cups-1.3.8-r2-overlay.tar.gz application/x-tar Robert Buchholz 2008-10-03 01:35 0000 70.00 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 238976 depends on: Show dependency tree
Bug 238976 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-09-28 20:56 0000 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

David Remahl wrote:
Apple has been notified of three vulnerabilities in CUPS (Common Unix  
Printing System). They are described below along with their Apple- 
assigned CVEs and CUPS STRs (restricted from public view).

1. imagetops heap-based buffer overflow (CVE-2008-3639, CUPS STR #2918)

A heap-based buffer overflow issue exists within the read_rle16()  
function of the imagetops CUPS image filter. The row count is not  
properly validated, and is used to control how many 16-bit integers  
are stored in a heap-based buffer.

Credit: “regenrecht” working with iDefense

2. texttops integer overflow (CVE-2008-3640, CUPS STR #2919)

An integer overflow issue exists within the WriteProlog() function in  
the texttops CUPS image filter. When calculating the page size for  
storing PostScript data, values are derived from user content and are  
used in multiplication. If the operation overflows, a small  
destination buffer may be allocated, resulting in a heap-based buffer  
overflow.

Credit: “regenrecht” working with iDefense


3. hpgltops write-what-where (CVE-2008-3641, CUPS STR #2911)

An unchecked index issue exists within the PW_pen_width() and  
PC_pen_color() functions in the hpgltops CUPS image filter. Buffer  
bounds are not properly validated when handling the pen width and pen  
color opcodes, potentially resulting in arbitrary memory being  
overwritten with controlled data.

Credit: “regenrecht” working with TippingPoint

------- Comment #1 From Robert Buchholz 2008-09-28 21:11:15 0000 ------- 
Created an attachment (id=166712) [details]
cups-1.3.8-CVE-2008-3639.patch

------- Comment #2 From Robert Buchholz 2008-09-28 21:11:57 0000 ------- 
Created an attachment (id=166713) [details]
cups-1.3.8-CVE-2008-3640.patch

------- Comment #3 From Robert Buchholz 2008-09-28 21:12:07 0000 ------- 
Created an attachment (id=166715) [details]
cups-1.3.8-CVE-2008-3641.patch

------- Comment #4 From Robert Buchholz 2008-09-28 21:13:11 0000 ------- 
The last two patches don't apply to 1.2.12 -- if we want to push a new stable,
we need to do some backporting of the patches.

------- Comment #5 From Robert Buchholz 2008-10-03 01:35:01 0000 ------- 
Created an attachment (id=167039) [details]
cups-1.3.8-r2-overlay.tar.gz

overlay containing cups-1.3.8-r2 and the patches

------- Comment #6 From Robert Buchholz 2008-10-03 01:36:22 0000 ------- 
Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug.

=net-print/cups-1.3.8-r2
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76

------- Comment #7 From Jeroen Roovers 2008-10-03 03:03:06 0000 ------- 
(From update of attachment 167039 [details])
Um, sorry. I am suddenly not quite sure anymore that I was doing the right
thing there. Opera messes with compression sometimes.

------- Comment #8 From Jeroen Roovers 2008-10-03 03:58:38 0000 ------- 
HPPA is OK.

------- Comment #9 From Robert Buchholz 2008-10-03 10:24:05 0000 ------- 
(From update of attachment 167039 [details])
You're right, it is tar only. I forgot the z parameter.

------- Comment #10 From Tobias Heinlein 2008-10-03 11:44:38 0000 ------- 
amd64 OK

------- Comment #11 From Ferris McCormick 2008-10-03 12:28:55 0000 ------- 
Sparc stable.  My test is network only, using {.pdf, .ps} files and two
printers:
HP --- HP_4_SI_MX
Xerox: DocuPrint_N2125 (with duplexer unit)

------- Comment #12 From Raúl Porcel 2008-10-04 09:39:25 0000 ------- 
Adding Tobias for alpha

------- Comment #13 From Markus Meier 2008-10-04 09:44:03 0000 ------- 
looks good on amd64/x86

------- Comment #14 From Tobias Scherbaum 2008-10-04 12:31:14 0000 ------- 
looks good on ppc, too

------- Comment #15 From Markus Rothe 2008-10-04 19:15:17 0000 ------- 
looks good on ppc64.

------- Comment #16 From Robert Buchholz 2008-10-10 09:38:03 0000 ------- 
public now, please commit.

------- Comment #17 From Timo Gurr 2008-10-10 19:46:09 0000 ------- 
Thanks everyone, I've commited cups-1.3.8-r2 with stable keywords: amd64 hppa
ppc ppc64 sparc x86
I've also sneaked in a little upstream patch to fix the broken desktop file
(bug #236706) with -r2.

On a last note, I've also followed rbu's advice on how to handle our insecure
1.2.12 revisions and removed the keywords of non-slacker archs with this
commit.

------- Comment #18 From Robert Buchholz 2008-10-11 10:50:09 0000 ------- 
Arches, please test and mark stable:
=net-print/cups-1.3.8-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Already stabled : "amd64 hppa ppc ppc64 sparc x86"
Missing keywords: "alpha arm ia64 m68k s390 sh"

------- Comment #19 From Stefan Behte 2008-10-18 20:19:26 0000 ------- 
CVE-2008-3639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3639):
  Heap-based buffer overflow in the read_rle16 function in imagetops in
  CUPS before 1.3.9 allows remote attackers to execute arbitrary code
  via an SGI image with malformed Run Length Encoded (RLE) data
  containing a small image and a large row count.

CVE-2008-3640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3640):
  Integer overflow in the WriteProlog function in texttops in CUPS
  before 1.3.9 allows remote attackers to execute arbitrary code via a
  crafted PostScript file that triggers a heap-based buffer overflow.

------- Comment #20 From Tobias Klausmann 2008-11-08 20:07:58 0000 ------- 
Stable on alpha.

------- Comment #21 From Timo Gurr 2008-11-08 21:29:26 0000 ------- 
Please be sure to delete and redownload the cups tarball if you've already
downloaded it before, since upstream seems to have changed it some time ago,
see bug #241216.

------- Comment #22 From Raúl Porcel 2008-11-09 11:08:58 0000 ------- 
ia64 stable, everything else is done

------- Comment #23 From Christian Hoffmann 2008-11-10 20:37:04 0000 ------- 
GLSA request has been filed (rbu).

------- Comment #24 From Pierre-Yves Rofes 2008-12-10 22:26:31 0000 ------- 
GLSA 200812-11
First Last Prev Next    No search results available      Search page      Enter new bug