[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#476305: intent to NMU

Hi,
debdiff attached and also archived on:
http://people.debian.org/~nion/nmu-diff/cupsys-1.3.7-1_1.3.7-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u cupsys-1.3.7/debian/changelog cupsys-1.3.7/debian/changelog
--- cupsys-1.3.7/debian/changelog
+++ cupsys-1.3.7/debian/changelog
@@ -1,3 +1,13 @@
+cupsys (1.3.7-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * This update addresses the following security issue:
+    - CVE-2008-1722: Two integer overflows in png image filter
+    allow a denial of service attack and possibly arbitrary code
+    execution (Closes: #476305).
+
+ -- Nico Golde <nion@debian.org>  Mon, 21 Apr 2008 13:22:07 +0200
+
 cupsys (1.3.7-1) unstable; urgency=medium
 
   * Urgency medium due to security fix.
diff -u cupsys-1.3.7/debian/patches/00list cupsys-1.3.7/debian/patches/00list
--- cupsys-1.3.7/debian/patches/00list
+++ cupsys-1.3.7/debian/patches/00list
@@ -19,0 +20 @@
+CVE-2008-1722.dpatch
only in patch2:
unchanged:
--- cupsys-1.3.7.orig/debian/patches/CVE-2008-1722.dpatch
+++ cupsys-1.3.7/debian/patches/CVE-2008-1722.dpatch
@@ -0,0 +1,78 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2008-1722.dpatch by Nico Golde <nion@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad cupsys-1.3.7~/filter/image-png.c cupsys-1.3.7/filter/image-png.c
+--- cupsys-1.3.7~/filter/image-png.c	2007-07-11 23:46:42.000000000 +0200
++++ cupsys-1.3.7/filter/image-png.c	2008-04-21 13:20:12.000000000 +0200
+@@ -3,7 +3,7 @@
+  *
+  *   PNG image routines for the Common UNIX Printing System (CUPS).
+  *
+- *   Copyright 2007 by Apple Inc.
++ *   Copyright 2007-2008 by Apple Inc.
+  *   Copyright 1993-2007 by Easy Software Products.
+  *
+  *   These coded instructions, statements, and computer programs are the
+@@ -170,16 +170,56 @@
+     * Interlaced images must be loaded all at once...
+     */
+ 
++    size_t bufsize;			/* Size of buffer */
++
++
+     if (color_type == PNG_COLOR_TYPE_GRAY ||
+ 	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+-      in = malloc(img->xsize * img->ysize);
++    {
++      bufsize = img->xsize * img->ysize;
++
++      if ((bufsize / img->ysize) != img->xsize)
++      {
++	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++		(unsigned)width, (unsigned)height);
++	fclose(fp);
++	return (1);
++      }
++    }
+     else
+-      in = malloc(img->xsize * img->ysize * 3);
++    {
++      bufsize = img->xsize * img->ysize * 3;
++
++      if ((bufsize / (img->ysize * 3)) != img->xsize)
++      {
++	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++		(unsigned)width, (unsigned)height);
++	fclose(fp);
++	return (1);
++      }
++    }
++
++    in = malloc(bufsize);
+   }
+ 
+   bpp = cupsImageGetDepth(img);
+   out = malloc(img->xsize * bpp);
+ 
++  if (!in || !out)
++  {
++    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
++
++    if (in)
++      free(in);
++
++    if (out)
++      free(out);
++
++    fclose(fp);
++
++    return (1);
++  }
++
+  /*
+   * Read the image, interlacing as needed...
+   */

Attachment: pgpNn3fUgxcvK.pgp
Description: PGP signature

Reply to: