Bug#324460: cupsys: Missing fix for CAN-2004-0888?

To: submit@bugs.debian.org
Subject: Bug#324460: cupsys: Missing fix for CAN-2004-0888?
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Mon, 22 Aug 2005 10:39:59 +0200
Message-id: <20050822083959.GA2303@javifsp.no-ip.org>
Reply-to: Javier Fernández-Sanguino Peña <jfs@computer.org>, 324460@bugs.debian.org

Package: cupsys
Version: 1.1.23-11
Priority: important
Tags: security

Reviewing the Fedora patches for cupsys I've found that
cups-CAN-2004-0888.patch (attached) is not available as a patch
in the Debian source package. This bug is described as
"Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use
xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code, a
different set of vulnerabilities than those identified by CAN-2004-0889."

And has been fixed in DSA-573, DSA-581, and DSA-599

Please review this patch and apply it if needed.

Thanks

Javier

--- cups-1.1.23/pdftops/XRef.cxx.CAN-2004-0888	2004-10-13 21:55:53.000000000 +0100
+++ cups-1.1.23/pdftops/XRef.cxx	2005-02-07 16:32:55.429806230 +0000
@@ -76,7 +76,7 @@
 
   // trailer is ok - read the xref table
   } else {
-    if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
+    if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
       error(-1, "Invalid 'size' inside xref table.");
       ok = gFalse;
       errCode = errDamaged;
@@ -291,7 +291,7 @@
     // table size
     if (first + n > size) {
       newSize = first + n;
-      if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+      if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
         error(-1, "Invalid 'newSize'");
         goto err2;
       }
@@ -445,7 +445,7 @@
 	    if (!strncmp(p, "obj", 3)) {
 	      if (num >= size) {
 		newSize = (num + 1 + 255) & ~255;
-	        if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+	        if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
 	          error(-1, "Invalid 'obj' parameters.");
 	          return gFalse;
 	        }
@@ -470,7 +470,7 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
-        if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
+        if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) {
           error(-1, "Invalid 'endstream' parameter.");
           return gFalse;
         }
--- cups-1.1.23/pdftops/Catalog.cxx.CAN-2004-0888	2004-10-13 21:55:53.000000000 +0100
+++ cups-1.1.23/pdftops/Catalog.cxx	2005-02-07 16:34:17.268156509 +0000
@@ -64,8 +64,8 @@
   }
   pagesSize = numPages0 = (int)obj.getNum();
   obj.free();
-  if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
-      pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+  if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+      pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
     error(-1, "Invalid 'pagesSize'");
     ok = gFalse;
     return;
@@ -197,7 +197,8 @@
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
-        if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize) {
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+	    pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
           error(-1, "Invalid 'pagesSize' parameter.");
           goto err3;
         }

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Bug#323806: libcupsys2-gnutls10: unable to install (supposed) new info file `/var/lib/dpkg/tmp.ci/shlibs': Operation not permitted
Next by Date: Bug#324459: cupsys: Missing fix for CAN-2005-0064?
Previous by thread: Processed: Re: Bug#324356: cupsys-driver-gimpprint-data: stylus color printers need "gs-esp" dependence
Next by thread: Bug#324459: cupsys: Missing fix for CAN-2005-0064?
Index(es):
- Date
- Thread