Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 214068 - net-print/cups <1.2.12-r7 Multiple vulnerabilities (CVE-2008-{0053,1373})
Summary: net-print/cups <1.2.12-r7 Multiple vulnerabilities (CVE-2008-{0053,1373})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
: 215863 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-03-20 17:59 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-06 21:01 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
cups-1.2.12-CVE-2008-1373.patch (cups-1.2.12-CVE-2008-1373.patch,581 bytes, patch)
2008-03-20 18:00 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
cups-1.3.6-CVE-2008-1373.patch (cups-1.3.6-CVE-2008-1373.patch,551 bytes, patch)
2008-03-20 18:01 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
cups-1.2.12-r7.ebuild (cups-1.2.12-r7.ebuild,6.99 KB, text/plain)
2008-03-20 22:49 UTC, Timo Gurr (RETIRED)
no flags Details
cups-1.3.6-r3.ebuild (cups-1.3.6-r3.ebuild,8.11 KB, text/plain)
2008-03-20 22:52 UTC, Timo Gurr (RETIRED)
no flags Details
cups-1.2.12-CVE-2008-0053.patch (cups-1.2.12-CVE-2008-0053.patch,1.47 KB, patch)
2008-03-24 02:05 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
cups-1.2.12-r7.ebuild (cups-1.2.12-r7.ebuild,7.09 KB, text/plain)
2008-03-24 02:10 UTC, Robert Buchholz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-20 17:59:08 UTC
Tomas Hoger writes:
Value of code_size is read from GIF image, but not properly validated
before use to initialize table array in gif_read_lzw().  clear_code
used as upper bound in for loop is short, hence overflow is limited to
~16k - 4k short int values.  Moreover, attacker has limited control
over the values written past the end of the buffer.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-20 18:00:21 UTC
Timo, this issue is under embargo until 2008-03-26. Do not commit anything to CVS until this date. Please prepare an updated ebuild and attach it to this bug, we will do prestable testing here. Thanks.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-20 18:00:52 UTC
Created attachment 146667 [details, diff]
cups-1.2.12-CVE-2008-1373.patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-20 18:01:05 UTC
Created attachment 146668 [details, diff]
cups-1.3.6-CVE-2008-1373.patch
Comment 4 Timo Gurr (RETIRED) gentoo-dev 2008-03-20 22:49:11 UTC
Created attachment 146714 [details]
cups-1.2.12-r7.ebuild

Added the patch for CVE-2008-1373 and also removed the unneeded (as also discussed per mail and with upstream) patch for CVE-2007-4045.
Comment 5 Timo Gurr (RETIRED) gentoo-dev 2008-03-20 22:52:31 UTC
Created attachment 146721 [details]
cups-1.3.6-r3.ebuild
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-03-20 23:12:42 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-03-20 23:14:24 UTC
(In reply to comment #6)
> Arch Security Liaisons, please test the attached ebuild and report it stable on
> this bug.

That is:
=net-print/cups-1.2.12-r7
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-21 09:43:02 UTC
Good to go on x86
Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2008-03-21 13:12:38 UTC
Looks good on sparc.  Tested -1.2.12-r7, remote only, with {.ps, .pdf} files.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-21 16:43:37 UTC
HPPA is OK.
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2008-03-22 08:03:33 UTC
looks good on ppc64
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-22 10:05:09 UTC
looks good on ppc
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-03-22 16:15:00 UTC
Adding Tobias for alpha
Comment 14 Tobias Klausmann gentoo-dev 2008-03-22 16:51:17 UTC
=net-print/cups-1.2.12-r7 works dandy on alpha.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 02:05:24 UTC
Created attachment 147078 [details, diff]
cups-1.2.12-CVE-2008-0053.patch
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 02:10:20 UTC
Created attachment 147080 [details]
cups-1.2.12-r7.ebuild

Ok, cups is killing me these days. Could you please retest with the new -r7 ebuild? Thanks.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 02:18:09 UTC
CVE-2008-0053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0053):
  Unspecified vulnerability in CUPS before 1.3.6 in Apple Mac OS X 10.5.2 has
  unknown impact and attack vectors related to "input validation."

Apple Advisory:
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html

Impact:  Multiple vulnerabilities in CUPS may lead to an unexpected
application termination or arbitrary code execution with system
privileges
Description:  Multiple input validation issues exist in CUPS, the
most serious of which may lead to arbitrary code execution with
system privileges. This update addresses the issues by updating to
CUPS 1.3.6. These issues do not affect systems prior to Mac OS X
v10.5.

Tomas Hoger writes:
According to upstream, this CVE id was allocated for following issue fixed in
CUPS 1.3.6 (see CHANGES.txt):

- Fixed two overflow bugs in the HP-GL/2 filter (Coverity)
Comment 18 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-24 08:40:48 UTC
Local printing ....ok
Remote printing from
  Windows ...ok
  Linux ...ok

x86 good to go...again.
Comment 19 Ferris McCormick (RETIRED) gentoo-dev 2008-03-24 12:47:01 UTC
sparc still looks good, too, as described in Comment 9.
Comment 20 Markus Rothe (RETIRED) gentoo-dev 2008-03-24 15:42:03 UTC
looks good on ppc64, too.
Comment 21 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-24 16:27:44 UTC
HPPA is OK again.
Comment 22 Tobias Klausmann gentoo-dev 2008-03-24 19:07:24 UTC
And on alpha, it works, too.
Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-24 19:34:00 UTC
still looks good for ppc
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2008-03-26 01:48:40 UTC
Please note that the embargo has been delayed until Monday, 03/31.
Comment 25 Markus Rothe (RETIRED) gentoo-dev 2008-03-26 07:30:46 UTC
looks good on ppc64
Comment 26 Robert Buchholz (RETIRED) gentoo-dev 2008-03-26 23:16:55 UTC
(In reply to comment #24)
> Please note that the embargo has been delayed until Monday, 03/31.

.... and again, Tuesday it is.
Comment 27 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 14:24:55 UTC
This is public now. Printing, please commit with the keywords you gathered.
Comment 28 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 19:12:36 UTC
Arches, please test and mark stable:
=net-print/cups-1.2.12-r7
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ppc ppc64 sparc x86"
Missing keywords: "arm ia64 m68k release s390 sh"
Comment 29 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 19:18:49 UTC
1.3.6 is unaffected for CVE-2008-0053.

This is GLSA-200804-01 - no joke!
Comment 30 Peter Volkov (RETIRED) gentoo-dev 2008-04-02 11:52:25 UTC
Stable on ia64 by armin76.
Fixed in release snapshot.
Comment 31 Robert Buchholz (RETIRED) gentoo-dev 2008-04-02 12:55:07 UTC
*** Bug 215863 has been marked as a duplicate of this bug. ***