Bug#436099: [Pkg-cups-devel] Bug#436099: CVE-2007-3387: Integer overflow in cupsys

To: "Steffen Joeris" <steffen.joeris@skolelinux.de>, 436099@bugs.debian.org
Subject: Bug#436099: [Pkg-cups-devel] Bug#436099: CVE-2007-3387: Integer overflow in cupsys
From: "Martin-Éric Racine" <q-funk@iki.fi>
Date: Sun, 5 Aug 2007 15:18:14 +0300
Message-id: <[🔎] 11fae7c70708050518q49d704e8i77f7414cc1f3a8c7@mail.gmail.com>
Reply-to: "Martin-Éric Racine" <q-funk@iki.fi>, 436099@bugs.debian.org
In-reply-to: <[🔎] 20070805120622.13728.38216.reportbug@katha.debian.org>
References: <[🔎] 20070805120622.13728.38216.reportbug@katha.debian.org>

Thanks for reminding us. We should be able to upload this later today.

On 8/5/07, Steffen Joeris <steffen.joeris@skolelinux.de> wrote:
> Package: cupsys
> Version: 1.2.12-1
> Severity: grave
> Tags: security, patch
> Justification: user security hole
>
> Hi
>
> A vulnerability has been found in libpoppler and related
> packages. From CVE-2007-3387:
>
> "Integer overflow in the StreamPredictor::StreamPredictor function in
> gpdf before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4)
> kdegraphics, (5) CUPS, and other products, might allow remote
> attackers to execute arbitrary code via a crafted PDF file."
>
> Please mention the CVE id in the changelog.
>
> A patch to fix this issue is attached below.
> If you do not have the time, please give me permission to upload an
> NMU.
> Thanks for your efforts
>
> Cheers
> Steffen
>
> diff -u cupsys-1.2.12/debian/patches/00list cupsys-1.2.12/debian/patches/00list
> --- cupsys-1.2.12/debian/patches/00list
> +++ cupsys-1.2.12/debian/patches/00list
> @@ -26,0 +27 @@
> +CVE-2007-3387.dpatch
> diff -u cupsys-1.2.12/debian/changelog cupsys-1.2.12/debian/changelog
> --- cupsys-1.2.12/debian/changelog
> +++ cupsys-1.2.12/debian/changelog
> @@ -1,3 +1,12 @@
> +cupsys (1.2.12-1.1) unstable; urgency=high
> +
> +  * Non-maintainer upload
> +  * Include upstream patch to fix integer overflow in the
> +    StreamPredictor::StreamPredictor function
> +    Fixes: CVE-2007-3387
> +
> + -- Steffen Joeris <white@debian.org>  Sun, 05 Aug 2007 11:18:08 +0000
> +
>  cupsys (1.2.12-1) unstable; urgency=low
>
>    * New upstream release
> only in patch2:
> unchanged:
> --- cupsys-1.2.12.orig/debian/patches/CVE-2007-3387.dpatch
> +++ cupsys-1.2.12/debian/patches/CVE-2007-3387.dpatch
> @@ -0,0 +1,22 @@
> +#! /bin/sh /usr/share/dpatch/dpatch-run
> +## CVE-2007-3387.dpatch
> +##
> +## All lines beginning with `## DP:' are a description of the patch.
> +## DP: Fix integer overflow in Stream.cxx
> +
> +@DPATCH@
> +--- Stream.cxx.old     2007-08-05 11:15:08.000000000 +0000
> ++++ cupsys-1.2.12/pdftops/Stream.cxx   2007-08-05 11:14:44.000000000 +0000
> +@@ -412,9 +412,9 @@
> +
> +   nVals = width * nComps;
> +   if (width <= 0 || nComps <= 0 || nBits <= 0 ||
> +-      nComps >= INT_MAX / nBits ||
> +-      width >= INT_MAX / nComps / nBits ||
> +-      nVals * nBits + 7 < 0) {
> ++      nComps > gfxColorMaxComps || nBits > 16 ||
> ++      width >= INT_MAX / nComps ||
> ++      nVals >= (INT_MAX - 7) / nBits) {
> +     return;
> +   }
> +   pixBytes = (nComps * nBits + 7) >> 3;
>
>
> _______________________________________________
> Pkg-cups-devel mailing list
> Pkg-cups-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-cups-devel
>


-- 
Martin-Éric Racine
http://q-funk.iki.fi

Reply to:

References:
- Bug#436099: CVE-2007-3387: Integer overflow in cupsys
  - From: Steffen Joeris <steffen.joeris@skolelinux.de>

Prev by Date: Bug#436099: CVE-2007-3387: Integer overflow in cupsys
Next by Date: Bug#436099: marked as done (CVE-2007-3387: Integer overflow in cupsys)
Previous by thread: Bug#436099: CVE-2007-3387: Integer overflow in cupsys
Next by thread: Bug#436099: marked as done (CVE-2007-3387: Integer overflow in cupsys)
Index(es):
- Date
- Thread