** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Drew Yao and Aaron Sigel of Apple Product Security disclosed multiple vulnerabilities in CUPS: CVE-2009-0163: Heap-based buffer overflow in the "imagetops" filter (_cupsImageReadTIFF()), possibly leading to the execution of arbitrary code. CVE-2009-0164: The web interface is vulnerable to DNS rebinding attacks. CUPS is vulnerable to the isuses found in xpdf/poppler (CVE-2009-0166, CVE-2009-0146, CVE-2009-0147) as well. CUPS 1.3.10 will resolve this by removing the internal filter and call the system-installed pdftops.
No commits into CVS, please. I'll add patches, we can do prestabling here.
Created attachment 185565 [details, diff] Patch for CVE-2009-0163
Created attachment 185566 [details, diff] Patch for CVE-2009-0164 This patch introduces host header validation and a new configuration option "ServerAlias".
Created attachment 185568 [details, diff] Patch for issue #3: Makes cups use external pdftops
Created attachment 187055 [details, diff] Revised patch for CVE-2009-0164 Upstream revised the patch and added documentation updates for the user impact of the DNS rebinding protection.
embargo is probably going to be postponed to 2009-04-16
Created attachment 187556 [details] cups-1.3.9-r2.tar.bz2 Tarballs includes only new files, just copy into your local tree and manifest.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : fmccor x86 : armin76, maekke
Created attachment 188179 [details, diff] cups-1.3.9-CVE-2009-0163.patch [with unix newlines that patch accepts] The tarball contains a "files/cups-1.3.9-CVE-2009-0163.patch" [noeol][dos] (according to vim) that patch doesn't accept.
(In reply to comment #9) > Created an attachment (id=188179) [edit] > cups-1.3.9-CVE-2009-0163.patch [with unix newlines that patch accepts] > > The tarball contains a "files/cups-1.3.9-CVE-2009-0163.patch" [noeol][dos] > (according to vim) that patch doesn't accept. With that in place, HPPA is OK.
this is now public. cups 1.3.10 fixes the issue. Feel free to either bump to the prestable tested version, or to the version bump since only hppa replied (thanks Jeroen! I know I can count on you :-)
I've just committed cups-1.3.10.ebuild to the tree.
Arches, please test and mark stable: =net-print/cups-1.3.10 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 stable
x86 stable
ppc64 done
ppc done
Stable for HPPA.
arm/ia64/m68k/s390/sh/sparc stable
Stable on alpha.
glsa already filed by a3li.
GLSA 200904-20
CVE-2009-0163 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0163): Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and earlier allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a crafted TIFF image, which is not properly handled by the (1) _cupsImageReadTIFF function in the imagetops filter and (2) imagetoraster filter, leading to a heap-based buffer overflow. CVE-2009-0164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0164): The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks.