The new release addresses a potential buffer overflow for compressed raster data and includes several general bug fixes. Changes include: Security: cupsRasterReadPixels buffer overflow with invalid page header and compressed raster data (STR #4551) Command-line programs were not localized on Mac OS X (<rdar://problem/14546232>) The scheduler incorrectly cleared the MakeModel string in the printers.conf file after a restart (<rdar://problem/16827518>) CUPS did not compile with older versions of GNU TLS (STR #4527) CUPS did not compile without Avahi or mDNSResponder (STR #4523) ippLength() did not return the correct length for IPP_TAG_CONST string values. The scheduler incorrectly aborted jobs after a job was restarted (<rdar://problem/19129387>) The cups-files.conf file contained the old ServerCertificate/Key directives instead of ServerKeychain. Fixed builds when no SSL/TLS library is available, or when explicitly disabled (STR #4531) Fixed an OpenBSD charset transcoding issue. Fixed USB printing on OpenBSD (STR #4525) The --without-xinetd configure option did not work (STR #4542) Backends needing to load OS X kernel extensions did not work (<rdar://problem/19015679>) Mapping of PPD keywords to IPP keywords did not work if the PPD keyword was already an IPP keyword (<rdar://problem/19121005>) cupsGetPPD* sent bad requests (STR #4567) ippserver used the wrong temporary directory on Windows (STR #4547) ippserver did not handle Bonjour registrations properly (STR #4548) The scheduler could crash during shutdown if Avahi was shutdown first (STR #4550) Added a USB quirk rule for Intermec printers (STR #4553) The scheduler did not always log which configuration file had the error (STR #4559) The ippfind and ipptool programs now correctly match hostnames with trailing dots (STR #4563) The ipptool timeout option did not work (STR #4515) Fixed several issues with client.conf, CUPS_SERVER, and the "-h" option of most commands (STR #4528) Another change for OpenBSD (STR #4526) Added Japanese localization (STR #4524) Documentation changes (STR #4569) Reproducible: Always
2.0.2 is already in the tree and it should fix this
(In reply to Pacho Ramos from comment #1) > 2.0.2 is already in the tree and it should fix this Is it ready for stabilization?
CVE-2014-9679 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9679): Integer underflow in the cupsRasterReadPixels function in filter/raster.c in CUPS before 2.0.2 allows remote attackers to have unspecified impact via a malformed compressed raster file, which triggers a buffer overflow.
Vulnerable versions have been removed. See bug #553644 and bug #553836
@security: Please create a glsa for that
New GLSA requested.
This issue was resolved and addressed in GLSA 201607-06 at https://security.gentoo.org/glsa/201607-06 by GLSA coordinator Aaron Bauman (b-man).
