Bug#507183: marked as done (cups: integer overflow via validation code in of the image size)

To: Martin Pitt <mpitt@debian.org>
Subject: Bug#507183: marked as done (cups: integer overflow via validation code in of the image size)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 02 Dec 2008 00:33:05 +0000
Message-id: <[🔎] handler.507183.D507183.12281775385492.ackdone@bugs.debian.org>
References: <E1L7Iwr-0001Ky-0D@ries.debian.org> <20081128215815.7127.43608.reportbug@hannah>

Your message dated Tue, 02 Dec 2008 00:17:05 +0000
with message-id <E1L7Iwr-0001Ky-0D@ries.debian.org>
and subject line Bug#507183: fixed in cups 1.3.9-9
has caused the Debian Bug report #507183,
regarding cups: integer overflow via validation code in of the image size
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
507183: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507183
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cups: integer overflow via validation code in of the image size

From: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Fri, 28 Nov 2008 22:58:15 +0100

Message-id: <20081128215815.7127.43608.reportbug@hannah>
Package: cups
Version: 1.3.8-1lenny3
Severity: grave
Tags: security, patch
Justification: user security hole

Hi Martin

Cups upstream just fixed another integer overflow[0], which was introduced
due to an incomplete fix for CVE-2008-1722. The upstream commit can be
found here[1]. A CVE id has been requested and I'll post it as soon as
it is available.

Cheers
Steffen

[0]: http://www.cups.org/str.php?L2974

[1]: http://www.cups.org/strfiles/2974/str2974.patch
--- End Message ---

--- Begin Message ---

To: 507183-close@bugs.debian.org
Subject: Bug#507183: fixed in cups 1.3.9-9
From: Martin Pitt <mpitt@debian.org>
Date: Tue, 02 Dec 2008 00:17:05 +0000
Message-id: <E1L7Iwr-0001Ky-0D@ries.debian.org>

Source: cups
Source-Version: 1.3.9-9

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive:

cups-bsd_1.3.9-9_i386.deb
  to pool/main/c/cups/cups-bsd_1.3.9-9_i386.deb
cups-client_1.3.9-9_i386.deb
  to pool/main/c/cups/cups-client_1.3.9-9_i386.deb
cups-common_1.3.9-9_all.deb
  to pool/main/c/cups/cups-common_1.3.9-9_all.deb
cups-dbg_1.3.9-9_i386.deb
  to pool/main/c/cups/cups-dbg_1.3.9-9_i386.deb
cups_1.3.9-9.diff.gz
  to pool/main/c/cups/cups_1.3.9-9.diff.gz
cups_1.3.9-9.dsc
  to pool/main/c/cups/cups_1.3.9-9.dsc
cups_1.3.9-9_i386.deb
  to pool/main/c/cups/cups_1.3.9-9_i386.deb
cupsys-bsd_1.3.9-9_all.deb
  to pool/main/c/cups/cupsys-bsd_1.3.9-9_all.deb
cupsys-client_1.3.9-9_all.deb
  to pool/main/c/cups/cupsys-client_1.3.9-9_all.deb
cupsys-common_1.3.9-9_all.deb
  to pool/main/c/cups/cupsys-common_1.3.9-9_all.deb
cupsys-dbg_1.3.9-9_all.deb
  to pool/main/c/cups/cupsys-dbg_1.3.9-9_all.deb
cupsys_1.3.9-9_all.deb
  to pool/main/c/cups/cupsys_1.3.9-9_all.deb
libcups2-dev_1.3.9-9_i386.deb
  to pool/main/c/cups/libcups2-dev_1.3.9-9_i386.deb
libcups2_1.3.9-9_i386.deb
  to pool/main/c/cups/libcups2_1.3.9-9_i386.deb
libcupsimage2-dev_1.3.9-9_i386.deb
  to pool/main/c/cups/libcupsimage2-dev_1.3.9-9_i386.deb
libcupsimage2_1.3.9-9_i386.deb
  to pool/main/c/cups/libcupsimage2_1.3.9-9_i386.deb
libcupsys2-dev_1.3.9-9_all.deb
  to pool/main/c/cups/libcupsys2-dev_1.3.9-9_all.deb
libcupsys2_1.3.9-9_all.deb
  to pool/main/c/cups/libcupsys2_1.3.9-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 507183@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 01 Dec 2008 15:47:10 -0800
Source: cups
Binary: libcups2 libcupsimage2 cups cups-client libcups2-dev libcupsimage2-dev cups-bsd cups-common cups-dbg cupsys cupsys-client cupsys-common cupsys-bsd cupsys-dbg libcupsys2 libcupsys2-dev
Architecture: source all i386
Version: 1.3.9-9
Distribution: experimental
Urgency: low
Maintainer: Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 cups       - Common UNIX Printing System(tm) - server
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-dbg   - Common UNIX Printing System(tm) - debugging symbols
 cupsys     - Common UNIX Printing System (transitional package)
 cupsys-bsd - Common UNIX Printing System (transitional package)
 cupsys-client - Common UNIX Printing System (transitional package)
 cupsys-common - Common UNIX Printing System (transitional package)
 cupsys-dbg - Common UNIX Printing System (transitional package)
 libcups2   - Common UNIX Printing System(tm) - libs
 libcups2-dev - Common UNIX Printing System(tm) - development files
 libcupsimage2 - Common UNIX Printing System(tm) - image libs
 libcupsimage2-dev - Common UNIX Printing System(tm) - image development files
 libcupsys2 - Common UNIX Printing System (transitional package)
 libcupsys2-dev - Common UNIX Printing System (transitional package)
Closes: 507183
Changes: 
 cups (1.3.9-9) experimental; urgency=low
 .
   [ Till Kamppeter ]
   * debian/local/filters/pdf-filters/pdftopdf/P2PPage.cxx,
     debian/local/filters/pdf-filters/pdftopdf/P2PResources.cxx: Added
     processing of the rotate tag (LP: #300312).
 .
   [ Martin Pitt ]
   * Add png-image-int-overflow.dpatch: Fix integer overflow in the PNG image
     reader (Closes: #507183, STR #2974, CVE-2008-5286)
Checksums-Sha1: 
 9b1f5acaa2d5a19c3465850a5c60214ea77d0f44 1908 cups_1.3.9-9.dsc
 9e2cfa86776b6988f6a5028596edb46eeee4f770 321505 cups_1.3.9-9.diff.gz
 0eeb60e6d9eaae7e4bb95181e471334a6a42411b 1181148 cups-common_1.3.9-9_all.deb
 1c65537df8dc68505040077ff85fe30b0fa57b31 57642 cupsys_1.3.9-9_all.deb
 5f9d9f2d19c30a7f93feda7639c349c1b3327761 57662 cupsys-client_1.3.9-9_all.deb
 2e8562923cb664ab8995926de9b788ad87dd7729 57664 cupsys-common_1.3.9-9_all.deb
 54f41b23bb3806d978cd8f50d11b1f2f85bed423 57660 cupsys-bsd_1.3.9-9_all.deb
 0ccef64e5bd186b96ebe7e23c1826ee1be0dec21 57660 cupsys-dbg_1.3.9-9_all.deb
 a89ffa2b2b296a475a44d8098c7a20d5997e61ef 57662 libcupsys2_1.3.9-9_all.deb
 ecf5ef7c0012d8ce451728233bb4310c1b8500af 57670 libcupsys2-dev_1.3.9-9_all.deb
 f501d10ecd267b269cd5a7e00673726515aee094 170914 libcups2_1.3.9-9_i386.deb
 50e2368215c83ae3cd4f9d913d8b5c75f5b95522 105002 libcupsimage2_1.3.9-9_i386.deb
 6c1e632131e93a69236a22755ebafdff46822dc0 2205616 cups_1.3.9-9_i386.deb
 f71501930af7a9d101086265bc91c9b931efe208 115730 cups-client_1.3.9-9_i386.deb
 6052c04a287801ea480f374f356aa81bc74539e1 401112 libcups2-dev_1.3.9-9_i386.deb
 a59297f8232a352cefc508fcd48b99b1b7745c7f 60578 libcupsimage2-dev_1.3.9-9_i386.deb
 f96ecebf8b865c893094cc0e0322106eb0175889 36538 cups-bsd_1.3.9-9_i386.deb
 e2d19de1270df9358bb286dd1d7167b8842dc467 1511804 cups-dbg_1.3.9-9_i386.deb
Checksums-Sha256: 
 55bfcbf69c41074f26b27a9fa0260d02a18b7fb3efad8247b277d1185c58b09e 1908 cups_1.3.9-9.dsc
 833b0f50b27e9e21191a557855f01e39bc8bfce8d442352bd300669490efebd6 321505 cups_1.3.9-9.diff.gz
 db8f8acf6f15b1f57fe6030e8c15874063736eee6ead1c9f89f61d5eb01e5d48 1181148 cups-common_1.3.9-9_all.deb
 373954e7c1e42f7429dde091476be7f1f7ed4d37afeb2539f61e2333e427cf1f 57642 cupsys_1.3.9-9_all.deb
 c3b69e28bf9902ffd8fc492b7c1a10a19227e98873d8e366b550047a53bbdbb3 57662 cupsys-client_1.3.9-9_all.deb
 2a14553bbd338bb76d68ede14ab47723b895bc7a84db3ac5b2b3818cc404d670 57664 cupsys-common_1.3.9-9_all.deb
 ef34940594a9b41237cc8875c36f9a93f1223805e306b35b113ae2f9b768454a 57660 cupsys-bsd_1.3.9-9_all.deb
 f8dd2fdb6feb54ec301366f3f64df52b95a475cfac4e6e0346b71b8b3c7b9539 57660 cupsys-dbg_1.3.9-9_all.deb
 f6d72cb6480e51de0be349d345ddfb53f7a30714834855732806e2bee8371d4d 57662 libcupsys2_1.3.9-9_all.deb
 4a52985366610c8ba1fe4ba4b6ef25b50ab381a3a58ab1027b9f3bc1a4715167 57670 libcupsys2-dev_1.3.9-9_all.deb
 0203a54f8c0e6fd5adbc7fd726eebcb019aaef70f1d988638df0dd781fe64998 170914 libcups2_1.3.9-9_i386.deb
 8893fc6a35089b001607de59aeef98331653a186ea5bfae95f7e847aa3cecbf0 105002 libcupsimage2_1.3.9-9_i386.deb
 f339c905e23cb7bd52241e731e4d40e5aa32f5d7870b944fabb314f11b1e6376 2205616 cups_1.3.9-9_i386.deb
 d18a2377784daf32e4453f1e5c4fd18d28c8e3ae02713a29a7970674eaeeae5a 115730 cups-client_1.3.9-9_i386.deb
 f9a3eadd15b2427859d9d34191bc0697eae8d7b6d06c02b2f75984550cd081ff 401112 libcups2-dev_1.3.9-9_i386.deb
 88a37dd60d2c95f03d29c84a09a1efac6a227bfc7d066db2325cc7f785f860c5 60578 libcupsimage2-dev_1.3.9-9_i386.deb
 d51ff77c10ab8f45814809a53d811e521bcf0d26ff9adb8a3bc0d7f071bc7916 36538 cups-bsd_1.3.9-9_i386.deb
 a0173c386fd8cf3022f2bb3bff80da58c94f481c724c3e14a934c3645cb33fb7 1511804 cups-dbg_1.3.9-9_i386.deb
Files: 
 5bb11920cd56d6b064400d8dd608238f 1908 net optional cups_1.3.9-9.dsc
 efce4de989667f2ea690b3519b801b16 321505 net optional cups_1.3.9-9.diff.gz
 d7e8a2a1152b571e0761f2bcafd96f70 1181148 net optional cups-common_1.3.9-9_all.deb
 fc130c28e43d5294504aa049865fb5ae 57642 oldlibs extra cupsys_1.3.9-9_all.deb
 784235f19bc60da9a1772d81a8752242 57662 oldlibs extra cupsys-client_1.3.9-9_all.deb
 b3642ba59aec57f024f0961c478552fd 57664 oldlibs extra cupsys-common_1.3.9-9_all.deb
 f7c8fe9fe1b02217f9a197d17416a4c0 57660 oldlibs extra cupsys-bsd_1.3.9-9_all.deb
 94668daf10c29d222593294cf4debb61 57660 oldlibs extra cupsys-dbg_1.3.9-9_all.deb
 875da83e8926470594f624369f51ad53 57662 oldlibs extra libcupsys2_1.3.9-9_all.deb
 422b8b2d1c1441612716364023ccbd49 57670 oldlibs extra libcupsys2-dev_1.3.9-9_all.deb
 7e0b68a51a98a9d44fcaf4cf6803d132 170914 libs optional libcups2_1.3.9-9_i386.deb
 f235473e13f52951cdacfdc795472a62 105002 libs optional libcupsimage2_1.3.9-9_i386.deb
 bc7d07ab101bc43d714c255e52e39e57 2205616 net optional cups_1.3.9-9_i386.deb
 f032ad69bd6a889d7f6e923c5bb91d3b 115730 net optional cups-client_1.3.9-9_i386.deb
 2d68ce11c8dcfe1e129a0eed044f5c04 401112 libdevel optional libcups2-dev_1.3.9-9_i386.deb
 c188d04b1e6837be43e95d017582d261 60578 libdevel optional libcupsimage2-dev_1.3.9-9_i386.deb
 85089cb2c8370c20ba2ab910457e3dbf 36538 net extra cups-bsd_1.3.9-9_i386.deb
 d5cad274f4e8c9cfddbd4cdc2026f72f 1511804 libdevel extra cups-dbg_1.3.9-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkk0elEACgkQDecnbV4Fd/I27wCg0rqhRTZcfCiBqlgGOROb1Kbr
T2wAoMJLEsp0Os0O4NH66oSVi9HrzgHT
=kH3a
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: cups override disparity
Next by Date: Accepted cups 1.3.9-9 (source all i386)
Previous by thread: cups override disparity
Next by thread: Bug#507183: marked as done (cups: integer overflow via validation code in of the image size)
Index(es):
- Date
- Thread