Package: cupsys Version: 1.1.23-11 Priority: important Tags: security Reviewing the Fedora patches for cupsys I've found that cups-CAN-2005-0064.patch (attached) is not available as a patch in the Debian source package. This bug is described as "Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value." And has been fixed in DSA-645 and DSA-648 Please review this patch and apply it if needed. Thanks Javier
--- cups-1.1.17/pdftops/Decrypt.cxx 2005-01-14 14:26:55.679891237 +0000
+++ cups-1.1.17/pdftops/Decrypt.cxx 2005-01-17 14:21:58.917198715 +0000
@@ -116,13 +116,19 @@
Guchar *buf;
Guchar test[32];
Guchar fState[256];
- Guchar tmpKey[16];
+ Guchar *tmpKey;
Guchar fx, fy;
int len, i, j;
GBool ok;
+ // check whether we have non-zero keyLength
+ if ( !keyLength || keyLength > 16 ) {
+ return gFalse;
+ }
+
// generate file key
buf = (Guchar *)gmalloc(68 + fileID->getLength());
+ tmpKey = (Guchar *)gmalloc(keyLength * sizeof(Guchar));
if (userPassword) {
len = userPassword->getLength();
if (len < 32) {
@@ -175,6 +181,7 @@
ok = gFalse;
}
+ gfree(tmpKey);
gfree(buf);
return ok;
}
Attachment:
signature.asc
Description: Digital signature