Tomas Hoger writes: Value of code_size is read from GIF image, but not properly validated before use to initialize table array in gif_read_lzw(). clear_code used as upper bound in for loop is short, hence overflow is limited to ~16k - 4k short int values. Moreover, attacker has limited control over the values written past the end of the buffer.
Timo, this issue is under embargo until 2008-03-26. Do not commit anything to CVS until this date. Please prepare an updated ebuild and attach it to this bug, we will do prestable testing here. Thanks.
Created attachment 146667 [details, diff] cups-1.2.12-CVE-2008-1373.patch
Created attachment 146668 [details, diff] cups-1.3.6-CVE-2008-1373.patch
Created attachment 146714 [details] cups-1.2.12-r7.ebuild Added the patch for CVE-2008-1373 and also removed the unneeded (as also discussed per mail and with upstream) patch for CVE-2007-4045.
Created attachment 146721 [details] cups-1.3.6-r3.ebuild
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86" CC'ing current Liaisons: alpha : ferdy amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer
(In reply to comment #6) > Arch Security Liaisons, please test the attached ebuild and report it stable on > this bug. That is: =net-print/cups-1.2.12-r7
Good to go on x86
Looks good on sparc. Tested -1.2.12-r7, remote only, with {.ps, .pdf} files.
HPPA is OK.
looks good on ppc64
looks good on ppc
Adding Tobias for alpha
=net-print/cups-1.2.12-r7 works dandy on alpha.
Created attachment 147078 [details, diff] cups-1.2.12-CVE-2008-0053.patch
Created attachment 147080 [details] cups-1.2.12-r7.ebuild Ok, cups is killing me these days. Could you please retest with the new -r7 ebuild? Thanks.
CVE-2008-0053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0053): Unspecified vulnerability in CUPS before 1.3.6 in Apple Mac OS X 10.5.2 has unknown impact and attack vectors related to "input validation." Apple Advisory: http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html Impact: Multiple vulnerabilities in CUPS may lead to an unexpected application termination or arbitrary code execution with system privileges Description: Multiple input validation issues exist in CUPS, the most serious of which may lead to arbitrary code execution with system privileges. This update addresses the issues by updating to CUPS 1.3.6. These issues do not affect systems prior to Mac OS X v10.5. Tomas Hoger writes: According to upstream, this CVE id was allocated for following issue fixed in CUPS 1.3.6 (see CHANGES.txt): - Fixed two overflow bugs in the HP-GL/2 filter (Coverity)
Local printing ....ok Remote printing from Windows ...ok Linux ...ok x86 good to go...again.
sparc still looks good, too, as described in Comment 9.
looks good on ppc64, too.
HPPA is OK again.
And on alpha, it works, too.
still looks good for ppc
Please note that the embargo has been delayed until Monday, 03/31.
(In reply to comment #24) > Please note that the embargo has been delayed until Monday, 03/31. .... and again, Tuesday it is.
This is public now. Printing, please commit with the keywords you gathered.
Arches, please test and mark stable: =net-print/cups-1.2.12-r7 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86" Already stabled : "alpha amd64 hppa ppc ppc64 sparc x86" Missing keywords: "arm ia64 m68k release s390 sh"
1.3.6 is unaffected for CVE-2008-0053. This is GLSA-200804-01 - no joke!
Stable on ia64 by armin76. Fixed in release snapshot.
*** Bug 215863 has been marked as a duplicate of this bug. ***
