Summary: | <net-print/cups-1.3.10 Multiple vulnerabilities (CVE-2009-{0163,0164}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | printing |
Priority: | High | Keywords: | STABLEREQ |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.cups.org/articles.php?L582 | ||
Whiteboard: | A2? [glsa] | ||
Package list: | Runtime testing required: | --- | |
Attachments: |
Description
Alex Legler (RETIRED)
2009-03-19 19:38:59 UTC
No commits into CVS, please. I'll add patches, we can do prestabling here. Created attachment 185565 [details, diff]
Patch for CVE-2009-0163
Created attachment 185566 [details, diff]
Patch for CVE-2009-0164
This patch introduces host header validation and a new configuration option "ServerAlias".
Created attachment 185568 [details, diff]
Patch for issue #3: Makes cups use external pdftops
Created attachment 187055 [details, diff]
Revised patch for CVE-2009-0164
Upstream revised the patch and added documentation updates for the user impact of the DNS rebinding protection.
embargo is probably going to be postponed to 2009-04-16 Created attachment 187556 [details]
cups-1.3.9-r2.tar.bz2
Tarballs includes only new files, just copy into your local tree and manifest.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : fmccor x86 : armin76, maekke Created attachment 188179 [details, diff]
cups-1.3.9-CVE-2009-0163.patch [with unix newlines that patch accepts]
The tarball contains a "files/cups-1.3.9-CVE-2009-0163.patch" [noeol][dos] (according to vim) that patch doesn't accept.
(In reply to comment #9) > Created an attachment (id=188179) [edit] > cups-1.3.9-CVE-2009-0163.patch [with unix newlines that patch accepts] > > The tarball contains a "files/cups-1.3.9-CVE-2009-0163.patch" [noeol][dos] > (according to vim) that patch doesn't accept. With that in place, HPPA is OK. this is now public. cups 1.3.10 fixes the issue. Feel free to either bump to the prestable tested version, or to the version bump since only hppa replied (thanks Jeroen! I know I can count on you :-) I've just committed cups-1.3.10.ebuild to the tree. Arches, please test and mark stable: =net-print/cups-1.3.10 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" amd64 stable x86 stable ppc64 done ppc done Stable for HPPA. arm/ia64/m68k/s390/sh/sparc stable Stable on alpha. glsa already filed by a3li. GLSA 200904-20 CVE-2009-0163 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0163): Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and earlier allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a crafted TIFF image, which is not properly handled by the (1) _cupsImageReadTIFF function in the imagetops filter and (2) imagetoraster filter, leading to a heap-based buffer overflow. CVE-2009-0164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0164): The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks. |