Even with the patch for CVE-2015-3258 in version 1.0.70 it was possible
to trigger an integer overflow leading to a heap-based buffer overflow
using the same vector (specially crafted line sizes).
The integer overflow has been assigned CVE-2015-3279 and is fixed in
version 1.0.71. Apart from that, the patch also hardens against
possible crashes due to missing calloc() success checks.
Red Hat bug:
+*cups-filters-1.0.71 (03 Jul 2015)
+ 03 Jul 2015; Andreas K. Huettel <email@example.com>
+ Version bump, bug 553836
Arches please stabilize net-print/cups-filters-1.0.71
Target: all stable arches
Stable for HPPA PPC64.
Stable on alpha.
stable for ppc.
Integer overflow in filter/texttopdf.c in texttopdf in cups-filters before
1.0.71 allows remote attackers to cause a denial of service (crash) or
possibly execute arbitrary code via a crafted line size in a print job,
which triggers a heap-based buffer overflow.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Maintainer(s), Thank you for you for cleanup.
Added to an existing GLSA Request.
Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in
GLSA 201510-08 at https://security.gentoo.org/glsa/201510-08
by GLSA coordinator Kristian Fiskerstrand (K_F).