Bug#436099: CVE-2007-3387: Integer overflow in cupsys

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#436099: CVE-2007-3387: Integer overflow in cupsys
From: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Sun, 05 Aug 2007 22:06:22 +1000
Message-id: <[🔎] 20070805120622.13728.38216.reportbug@katha.debian.org>
Reply-to: Steffen Joeris <steffen.joeris@skolelinux.de>, 436099@bugs.debian.org

Package: cupsys
Version: 1.2.12-1
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

A vulnerability has been found in libpoppler and related
packages. From CVE-2007-3387:

"Integer overflow in the StreamPredictor::StreamPredictor function in
gpdf before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4)
kdegraphics, (5) CUPS, and other products, might allow remote
attackers to execute arbitrary code via a crafted PDF file."

Please mention the CVE id in the changelog.

A patch to fix this issue is attached below.
If you do not have the time, please give me permission to upload an
NMU.
Thanks for your efforts

Cheers
Steffen

diff -u cupsys-1.2.12/debian/patches/00list cupsys-1.2.12/debian/patches/00list
--- cupsys-1.2.12/debian/patches/00list
+++ cupsys-1.2.12/debian/patches/00list
@@ -26,0 +27 @@
+CVE-2007-3387.dpatch
diff -u cupsys-1.2.12/debian/changelog cupsys-1.2.12/debian/changelog
--- cupsys-1.2.12/debian/changelog
+++ cupsys-1.2.12/debian/changelog
@@ -1,3 +1,12 @@
+cupsys (1.2.12-1.1) unstable; urgency=high
+
+  * Non-maintainer upload
+  * Include upstream patch to fix integer overflow in the
+    StreamPredictor::StreamPredictor function
+    Fixes: CVE-2007-3387
+
+ -- Steffen Joeris <white@debian.org>  Sun, 05 Aug 2007 11:18:08 +0000
+
 cupsys (1.2.12-1) unstable; urgency=low

   * New upstream release
only in patch2:
unchanged:
--- cupsys-1.2.12.orig/debian/patches/CVE-2007-3387.dpatch
+++ cupsys-1.2.12/debian/patches/CVE-2007-3387.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-3387.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix integer overflow in Stream.cxx
+
+@DPATCH@
+--- Stream.cxx.old     2007-08-05 11:15:08.000000000 +0000
++++ cupsys-1.2.12/pdftops/Stream.cxx   2007-08-05 11:14:44.000000000 +0000
+@@ -412,9 +412,9 @@
+
+   nVals = width * nComps;
+   if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+-      nComps >= INT_MAX / nBits ||
+-      width >= INT_MAX / nComps / nBits ||
+-      nVals * nBits + 7 < 0) {
++      nComps > gfxColorMaxComps || nBits > 16 ||
++      width >= INT_MAX / nComps ||
++      nVals >= (INT_MAX - 7) / nBits) {
+     return;
+   }
+   pixBytes = (nComps * nBits + 7) >> 3;

Reply to:

Follow-Ups:
- Bug#436099: [Pkg-cups-devel] Bug#436099: CVE-2007-3387: Integer overflow in cupsys
  - From: "Martin-Éric Racine" <q-funk@iki.fi>
- Bug#436099: marked as done (CVE-2007-3387: Integer overflow in cupsys)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#422723: intend to NMU
Next by Date: Bug#436099: [Pkg-cups-devel] Bug#436099: CVE-2007-3387: Integer overflow in cupsys
Previous by thread: Bug#422723: intend to NMU
Next by thread: Bug#436099: [Pkg-cups-devel] Bug#436099: CVE-2007-3387: Integer overflow in cupsys
Index(es):
- Date
- Thread