Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249727 (CVE-2008-5286) - net-print/cups <1.3.9-r1 buffer overflow in _cupsImageReadPNG() (CVE-2008-5286)
Summary: net-print/cups <1.3.9-r1 buffer overflow in _cupsImageReadPNG() (CVE-2008-5286)
Status: RESOLVED FIXED
Alias: CVE-2008-5286
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.cups.org/str.php?L2974
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-03 20:17 UTC by Stefan Behte (RETIRED)
Modified: 2020-04-10 11:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-12-03 20:17:12 UTC
CVE-2008-5286 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5286):
  Integer overflow in the _cupsImageReadPNG function in CUPS 1.1.17
  through 1.3.9 allows remote attackers to execute arbitrary code via a
  PNG image with a large height value, which bypasses a validation
  check and triggers a buffer overflow.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-03 20:23:53 UTC
Please apply the patch or bump to 1.3.10 ASAP.
Comment 2 Timo Gurr (RETIRED) gentoo-dev 2008-12-04 21:45:15 UTC
Upstream patch added in net-print/cups-1.3.9-r1.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-06 14:57:50 UTC
Arches, please test and mark stable:
=net-print/cups-1.3.9-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-06 19:02:06 UTC
ppc stable
Comment 5 Richard Freeman gentoo-dev 2008-12-07 04:49:58 UTC
amd64 stable
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-12-07 13:52:15 UTC
rerating B1, network connectivity is not default and cups does not run as root, but lp.
Comment 7 Markus Meier gentoo-dev 2008-12-08 18:46:46 UTC
x86 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2008-12-08 19:33:40 UTC
ppc64 done
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-09 02:08:43 UTC
Stable for HPPA.
Comment 10 Friedrich Oslage (RETIRED) gentoo-dev 2008-12-09 19:24:18 UTC
sparc stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-12-10 10:23:21 UTC
arm/ia64 stable
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2008-12-11 16:46:31 UTC
Stable on alpha.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-11 16:54:31 UTC
GLSA 200812-11 (apologies to Gentoo alpha users which got an unstable 1.3.9-r1 for a few hours after the advisory was sent)