Package: cupsys Version: 1.2.7-4etch1 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for cupsys. CVE-2007-5849[0]: | Integer underflow in the asn1_get_string function in the SNMP back end | for CUPS allows remote attackers to execute arbitrary code via a | crafted SNMP response that triggers a stack-based buffer overflow. I attached a patch which fixes this problem. Sarge is not affected by this as the SNMP backend was introduced later. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5849 Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -Naur cups-1.3.4/backend/snmp.c cups-1.3.4.new/backend/snmp.c
--- cups-1.3.4/backend/snmp.c 2007-07-11 23:46:42.000000000 +0200
+++ cups-1.3.4.new/backend/snmp.c 2007-12-10 12:56:12.680574919 +0100
@@ -1064,18 +1064,38 @@
char *string, /* I - String buffer */
int strsize) /* I - String buffer size */
{
- if (length < strsize)
+ if (length < 0)
{
- memcpy(string, *buffer, length);
+ /*
+ * Disallow negative lengths!
+ */
+
+ fprintf(stderr, "ERROR: Bad ASN1 string length %d!\n", length);
+ *string = '\0';
+ }
+ else if (length < strsize)
+ {
+ /*
+ * String is smaller than the buffer...
+ */
+
+ if (length > 0)
+ memcpy(string, *buffer, length);
+
string[length] = '\0';
}
else
{
+ /*
+ * String is larger than the buffer...
+ */
+
memcpy(string, buffer, strsize - 1);
string[strsize - 1] = '\0';
}
- (*buffer) += length;
+ if (length > 0)
+ (*buffer) += length;
return (string);
}
Attachment:
pgpUibJRshlvl.pgp
Description: PGP signature