** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** David Remahl wrote: Apple has been notified of three vulnerabilities in CUPS (Common Unix Printing System). They are described below along with their Apple- assigned CVEs and CUPS STRs (restricted from public view). 1. imagetops heap-based buffer overflow (CVE-2008-3639, CUPS STR #2918) A heap-based buffer overflow issue exists within the read_rle16() function of the imagetops CUPS image filter. The row count is not properly validated, and is used to control how many 16-bit integers are stored in a heap-based buffer. Credit: “regenrecht” working with iDefense 2. texttops integer overflow (CVE-2008-3640, CUPS STR #2919) An integer overflow issue exists within the WriteProlog() function in the texttops CUPS image filter. When calculating the page size for storing PostScript data, values are derived from user content and are used in multiplication. If the operation overflows, a small destination buffer may be allocated, resulting in a heap-based buffer overflow. Credit: “regenrecht” working with iDefense 3. hpgltops write-what-where (CVE-2008-3641, CUPS STR #2911) An unchecked index issue exists within the PW_pen_width() and PC_pen_color() functions in the hpgltops CUPS image filter. Buffer bounds are not properly validated when handling the pen width and pen color opcodes, potentially resulting in arbitrary memory being overwritten with controlled data. Credit: “regenrecht” working with TippingPoint
Created attachment 166712 [details, diff] cups-1.3.8-CVE-2008-3639.patch
Created attachment 166713 [details, diff] cups-1.3.8-CVE-2008-3640.patch
Created attachment 166715 [details, diff] cups-1.3.8-CVE-2008-3641.patch
The last two patches don't apply to 1.2.12 -- if we want to push a new stable, we need to do some backporting of the patches.
Created attachment 167039 [details] cups-1.3.8-r2-overlay.tar.gz overlay containing cups-1.3.8-r2 and the patches
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. =net-print/cups-1.3.8-r2 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76
Comment on attachment 167039 [details] cups-1.3.8-r2-overlay.tar.gz Um, sorry. I am suddenly not quite sure anymore that I was doing the right thing there. Opera messes with compression sometimes.
HPPA is OK.
Comment on attachment 167039 [details] cups-1.3.8-r2-overlay.tar.gz You're right, it is tar only. I forgot the z parameter.
amd64 OK
Sparc stable. My test is network only, using {.pdf, .ps} files and two printers: HP --- HP_4_SI_MX Xerox: DocuPrint_N2125 (with duplexer unit)
Adding Tobias for alpha
looks good on amd64/x86
looks good on ppc, too
looks good on ppc64.
public now, please commit.
Thanks everyone, I've commited cups-1.3.8-r2 with stable keywords: amd64 hppa ppc ppc64 sparc x86 I've also sneaked in a little upstream patch to fix the broken desktop file (bug #236706) with -r2. On a last note, I've also followed rbu's advice on how to handle our insecure 1.2.12 revisions and removed the keywords of non-slacker archs with this commit.
Arches, please test and mark stable: =net-print/cups-1.3.8-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Already stabled : "amd64 hppa ppc ppc64 sparc x86" Missing keywords: "alpha arm ia64 m68k s390 sh"
CVE-2008-3639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3639): Heap-based buffer overflow in the read_rle16 function in imagetops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via an SGI image with malformed Run Length Encoded (RLE) data containing a small image and a large row count. CVE-2008-3640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3640): Integer overflow in the WriteProlog function in texttops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via a crafted PostScript file that triggers a heap-based buffer overflow.
Stable on alpha.
Please be sure to delete and redownload the cups tarball if you've already downloaded it before, since upstream seems to have changed it some time ago, see bug #241216.
ia64 stable, everything else is done
GLSA request has been filed (rbu).
GLSA 200812-11