380771 – (CVE-2011-3170) <net-print/cups-1.4.8-r1: "gif_read_lzw()" Buffer Overflow Vulnerability (CVE-2011-3170)

Bug 380771 (CVE-2011-3170) - <net-print/cups-1.4.8-r1: "gif_read_lzw()" Buffer Overflow Vulnerability (CVE-2011-3170)

Summary: <net-print/cups-1.4.8-r1: "gif_read_lzw()" Buffer Overflow Vulnerability (CVE...

Status:	RESOLVED FIXED

Alias:	CVE-2011-3170

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/45796/
Whiteboard:	B2 [glsa]
Keywords:

Duplicates (1):	380825 (view as bug list)
Depends on:	380825
Blocks:
	Show dependency tree

Reported:	2011-08-26 19:00 UTC by Agostino Sarubbo
Modified:	2012-07-09 23:37 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2011-08-26 19:00:45 UTC

From Secunia security advisor at $URL:

The vulnerability is caused due to a boundary error within the "gif_read_lzw()" function (filter/image-gif.c) and can be exploited to cause a heap-based buffer overflow via specially crafted GIF images.

The vulnerability is confirmed in version 1.4.6. Prior versions may also be affected.


Solution:
Update to version 1.4.7.


and

The vulnerability is confirmed in version 1.4.8. Other versions may also be affected.


Solution:
Fixed in the SVN repository.

Comment 1 Andreas K. Hüttel archtester

2011-08-27 00:14:15 UTC

*cups-1.5.0-r1 (25 Aug 2011)
*cups-1.4.8-r21 (25 Aug 2011)
*cups-1.4.8-r1 (25 Aug 2011)

  25 Aug 2011; Timo Gurr <tgurr@gentoo.org> -cups-1.4.6-r21.ebuild,
  -cups-1.4.8.ebuild, +cups-1.4.8-r1.ebuild, +cups-1.4.8-r21.ebuild,
  +files/cups-1.4.8-CVE-2011-2896.patch, -cups-1.5.0.ebuild,
  +cups-1.5.0-r1.ebuild:
  Revbumps fixing security issue CVE-2011-2896. Remove old.


Note: CVE-2011-2896, although talking about cups, refers to SECUNIA:45621 (which is imho exactly the same issue for gimp).

Comment 2 Andreas K. Hüttel archtester

2011-08-27 10:30:18 UTC

net-print/cups-1.4.8-r1 stablerequest filed

Comment 3 Alex Legler (RETIRED) archtester

2011-08-27 10:32:45 UTC

*** Bug 380825 has been marked as a duplicate of this bug. ***

Comment 4 Alex Legler (RETIRED) archtester

2011-08-27 10:33:18 UTC

This particular patch is CVE-2011-3170.

The -2896 patch was not sufficient to fix the issue in cups, thus this patch was needed. Please fix the naming in CVS. After that, we'll call arches in *this* bug, as usual.

Comment 5 Alex Legler (RETIRED) archtester

2011-08-27 10:48:04 UTC

Arches, please test and mark stable:
=net-print/cups-1.4.8-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 6 Agostino Sarubbo gentoo-dev

2011-08-27 11:59:59 UTC

Multiple compile test ok. No hw to test. amd64 ok

Comment 7 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2011-08-27 12:25:42 UTC

Archtested 1.4.8-r1 on amd64 (printing over wifi, administration interface, queues, jobs etc). All ok.

Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-08-27 17:42:09 UTC

x86 stable

Comment 9 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-08-27 20:09:45 UTC

ppc/ppc64 stable

Comment 10 Tony Vroon (RETIRED) gentoo-dev

2011-08-28 22:23:09 UTC

+  28 Aug 2011; Tony Vroon <chainsaw@gentoo.org> cups-1.4.8-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Tomáš "Mepho" Pružina in security bug #380771.

Comment 11 Jeroen Roovers (RETIRED) gentoo-dev

2011-08-29 06:12:53 UTC

Stable for HPPA.

Comment 12 Raúl Porcel (RETIRED) gentoo-dev

2011-09-03 13:21:53 UTC

alpha/arm/ia64/m68k/s390/sh/sparc

Comment 13 Tim Sammut (RETIRED) gentoo-dev

2011-09-04 00:27:57 UTC

Thanks, everyone. Added to existing GLSA request.

Comment 14 Andreas K. Hüttel archtester

2012-01-15 20:41:49 UTC

No vulnerable version in the tree anymore.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2012-07-09 23:37:14 UTC

This issue was resolved and addressed in
 GLSA 201207-10 at http://security.gentoo.org/glsa/glsa-201207-10.xml
by GLSA coordinator Sean Amoss (ackle).