Package: cupsys Version: 1.1.23-11 Priority: important Tags: security Reviewing the Fedora patches for cupsys I've found that cups-CAN-2005-0064.patch (attached) is not available as a patch in the Debian source package. This bug is described as "Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value." And has been fixed in DSA-645 and DSA-648 Please review this patch and apply it if needed. Thanks Javier
--- cups-1.1.17/pdftops/Decrypt.cxx 2005-01-14 14:26:55.679891237 +0000 +++ cups-1.1.17/pdftops/Decrypt.cxx 2005-01-17 14:21:58.917198715 +0000 @@ -116,13 +116,19 @@ Guchar *buf; Guchar test[32]; Guchar fState[256]; - Guchar tmpKey[16]; + Guchar *tmpKey; Guchar fx, fy; int len, i, j; GBool ok; + // check whether we have non-zero keyLength + if ( !keyLength || keyLength > 16 ) { + return gFalse; + } + // generate file key buf = (Guchar *)gmalloc(68 + fileID->getLength()); + tmpKey = (Guchar *)gmalloc(keyLength * sizeof(Guchar)); if (userPassword) { len = userPassword->getLength(); if (len < 32) { @@ -175,6 +181,7 @@ ok = gFalse; } + gfree(tmpKey); gfree(buf); return ok; }
Attachment:
signature.asc
Description: Digital signature