Hi, debdiff attached and also archived on: http://people.debian.org/~nion/nmu-diff/cupsys-1.3.7-1_1.3.7-1.1.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u cupsys-1.3.7/debian/changelog cupsys-1.3.7/debian/changelog --- cupsys-1.3.7/debian/changelog +++ cupsys-1.3.7/debian/changelog @@ -1,3 +1,13 @@ +cupsys (1.3.7-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * This update addresses the following security issue: + - CVE-2008-1722: Two integer overflows in png image filter + allow a denial of service attack and possibly arbitrary code + execution (Closes: #476305). + + -- Nico Golde <nion@debian.org> Mon, 21 Apr 2008 13:22:07 +0200 + cupsys (1.3.7-1) unstable; urgency=medium * Urgency medium due to security fix. diff -u cupsys-1.3.7/debian/patches/00list cupsys-1.3.7/debian/patches/00list --- cupsys-1.3.7/debian/patches/00list +++ cupsys-1.3.7/debian/patches/00list @@ -19,0 +20 @@ +CVE-2008-1722.dpatch only in patch2: unchanged: --- cupsys-1.3.7.orig/debian/patches/CVE-2008-1722.dpatch +++ cupsys-1.3.7/debian/patches/CVE-2008-1722.dpatch @@ -0,0 +1,78 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2008-1722.dpatch by Nico Golde <nion@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad cupsys-1.3.7~/filter/image-png.c cupsys-1.3.7/filter/image-png.c +--- cupsys-1.3.7~/filter/image-png.c 2007-07-11 23:46:42.000000000 +0200 ++++ cupsys-1.3.7/filter/image-png.c 2008-04-21 13:20:12.000000000 +0200 +@@ -3,7 +3,7 @@ + * + * PNG image routines for the Common UNIX Printing System (CUPS). + * +- * Copyright 2007 by Apple Inc. ++ * Copyright 2007-2008 by Apple Inc. + * Copyright 1993-2007 by Easy Software Products. + * + * These coded instructions, statements, and computer programs are the +@@ -170,16 +170,56 @@ + * Interlaced images must be loaded all at once... + */ + ++ size_t bufsize; /* Size of buffer */ ++ ++ + if (color_type == PNG_COLOR_TYPE_GRAY || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA) +- in = malloc(img->xsize * img->ysize); ++ { ++ bufsize = img->xsize * img->ysize; ++ ++ if ((bufsize / img->ysize) != img->xsize) ++ { ++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", ++ (unsigned)width, (unsigned)height); ++ fclose(fp); ++ return (1); ++ } ++ } + else +- in = malloc(img->xsize * img->ysize * 3); ++ { ++ bufsize = img->xsize * img->ysize * 3; ++ ++ if ((bufsize / (img->ysize * 3)) != img->xsize) ++ { ++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", ++ (unsigned)width, (unsigned)height); ++ fclose(fp); ++ return (1); ++ } ++ } ++ ++ in = malloc(bufsize); + } + + bpp = cupsImageGetDepth(img); + out = malloc(img->xsize * bpp); + ++ if (!in || !out) ++ { ++ fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr); ++ ++ if (in) ++ free(in); ++ ++ if (out) ++ free(out); ++ ++ fclose(fp); ++ ++ return (1); ++ } ++ + /* + * Read the image, interlacing as needed... + */
Attachment:
pgpNn3fUgxcvK.pgp
Description: PGP signature