[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#436099: marked as done (CVE-2007-3387: Integer overflow in cupsys)

Your message dated Sun, 5 Aug 2007 19:07:47 +0200
with message-id <20070805170747.GB6303@piware.de>
and subject line [Pkg-cups-devel] Bug#436099: CVE-2007-3387: Integer overflow in cupsys
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: cupsys
Version: 1.2.12-1
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

A vulnerability has been found in libpoppler and related
packages. From CVE-2007-3387:

"Integer overflow in the StreamPredictor::StreamPredictor function in
gpdf before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4)
kdegraphics, (5) CUPS, and other products, might allow remote
attackers to execute arbitrary code via a crafted PDF file."

Please mention the CVE id in the changelog.

A patch to fix this issue is attached below.
If you do not have the time, please give me permission to upload an
NMU.
Thanks for your efforts

Cheers
Steffen

diff -u cupsys-1.2.12/debian/patches/00list cupsys-1.2.12/debian/patches/00list
--- cupsys-1.2.12/debian/patches/00list
+++ cupsys-1.2.12/debian/patches/00list
@@ -26,0 +27 @@
+CVE-2007-3387.dpatch
diff -u cupsys-1.2.12/debian/changelog cupsys-1.2.12/debian/changelog
--- cupsys-1.2.12/debian/changelog
+++ cupsys-1.2.12/debian/changelog
@@ -1,3 +1,12 @@
+cupsys (1.2.12-1.1) unstable; urgency=high
+
+  * Non-maintainer upload
+  * Include upstream patch to fix integer overflow in the
+    StreamPredictor::StreamPredictor function
+    Fixes: CVE-2007-3387
+
+ -- Steffen Joeris <white@debian.org>  Sun, 05 Aug 2007 11:18:08 +0000
+
 cupsys (1.2.12-1) unstable; urgency=low

   * New upstream release
only in patch2:
unchanged:
--- cupsys-1.2.12.orig/debian/patches/CVE-2007-3387.dpatch
+++ cupsys-1.2.12/debian/patches/CVE-2007-3387.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-3387.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix integer overflow in Stream.cxx
+
+@DPATCH@
+--- Stream.cxx.old     2007-08-05 11:15:08.000000000 +0000
++++ cupsys-1.2.12/pdftops/Stream.cxx   2007-08-05 11:14:44.000000000 +0000
+@@ -412,9 +412,9 @@
+
+   nVals = width * nComps;
+   if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+-      nComps >= INT_MAX / nBits ||
+-      width >= INT_MAX / nComps / nBits ||
+-      nVals * nBits + 7 < 0) {
++      nComps > gfxColorMaxComps || nBits > 16 ||
++      width >= INT_MAX / nComps ||
++      nVals >= (INT_MAX - 7) / nBits) {
+     return;
+   }
+   pixBytes = (nComps * nBits + 7) >> 3;

--- End Message ---
--- Begin Message --- 
Hi Steffen,

Steffen Joeris [2007-08-05 22:06 +1000]:
> A vulnerability has been found in libpoppler and related
> packages. From CVE-2007-3387:
> 
> "Integer overflow in the StreamPredictor::StreamPredictor function in
> gpdf before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4)
> kdegraphics, (5) CUPS, and other products, might allow remote
> attackers to execute arbitrary code via a crafted PDF file."

Thanks, this was already on my radar, but Debian's cupsys is not
affected by this. We have used the external xpdf-utils in Sarge and
poppler-utils since Etch, specifically to avoid using the duplicated
xpdf code in cups.

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: