Bug#507183: marked as done (cups: integer overflow via validation code in of the image size)

To: Martin Pitt <mpitt@debian.org>
Subject: Bug#507183: marked as done (cups: integer overflow via validation code in of the image size)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 02 Dec 2008 02:33:11 +0000
Message-id: <[🔎] handler.507183.D507183.12281847413986.ackdone@bugs.debian.org>
References: <E1L7KaS-0006QJ-J6@ries.debian.org> <20081128215815.7127.43608.reportbug@hannah>

Your message dated Tue, 02 Dec 2008 02:02:04 +0000
with message-id <E1L7KaS-0006QJ-J6@ries.debian.org>
and subject line Bug#507183: fixed in cups 1.3.8-1lenny4
has caused the Debian Bug report #507183,
regarding cups: integer overflow via validation code in of the image size
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
507183: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507183
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cups: integer overflow via validation code in of the image size

From: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Fri, 28 Nov 2008 22:58:15 +0100

Message-id: <20081128215815.7127.43608.reportbug@hannah>
Package: cups
Version: 1.3.8-1lenny3
Severity: grave
Tags: security, patch
Justification: user security hole

Hi Martin

Cups upstream just fixed another integer overflow[0], which was introduced
due to an incomplete fix for CVE-2008-1722. The upstream commit can be
found here[1]. A CVE id has been requested and I'll post it as soon as
it is available.

Cheers
Steffen

[0]: http://www.cups.org/str.php?L2974

[1]: http://www.cups.org/strfiles/2974/str2974.patch
--- End Message ---

--- Begin Message ---

To: 507183-close@bugs.debian.org
Subject: Bug#507183: fixed in cups 1.3.8-1lenny4
From: Martin Pitt <mpitt@debian.org>
Date: Tue, 02 Dec 2008 02:02:04 +0000
Message-id: <E1L7KaS-0006QJ-J6@ries.debian.org>

Source: cups
Source-Version: 1.3.8-1lenny4

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive:

cups-bsd_1.3.8-1lenny4_i386.deb
  to pool/main/c/cups/cups-bsd_1.3.8-1lenny4_i386.deb
cups-client_1.3.8-1lenny4_i386.deb
  to pool/main/c/cups/cups-client_1.3.8-1lenny4_i386.deb
cups-common_1.3.8-1lenny4_all.deb
  to pool/main/c/cups/cups-common_1.3.8-1lenny4_all.deb
cups-dbg_1.3.8-1lenny4_i386.deb
  to pool/main/c/cups/cups-dbg_1.3.8-1lenny4_i386.deb
cups_1.3.8-1lenny4.diff.gz
  to pool/main/c/cups/cups_1.3.8-1lenny4.diff.gz
cups_1.3.8-1lenny4.dsc
  to pool/main/c/cups/cups_1.3.8-1lenny4.dsc
cups_1.3.8-1lenny4_i386.deb
  to pool/main/c/cups/cups_1.3.8-1lenny4_i386.deb
cupsys-bsd_1.3.8-1lenny4_all.deb
  to pool/main/c/cups/cupsys-bsd_1.3.8-1lenny4_all.deb
cupsys-client_1.3.8-1lenny4_all.deb
  to pool/main/c/cups/cupsys-client_1.3.8-1lenny4_all.deb
cupsys-common_1.3.8-1lenny4_all.deb
  to pool/main/c/cups/cupsys-common_1.3.8-1lenny4_all.deb
cupsys-dbg_1.3.8-1lenny4_all.deb
  to pool/main/c/cups/cupsys-dbg_1.3.8-1lenny4_all.deb
cupsys_1.3.8-1lenny4_all.deb
  to pool/main/c/cups/cupsys_1.3.8-1lenny4_all.deb
libcups2-dev_1.3.8-1lenny4_i386.deb
  to pool/main/c/cups/libcups2-dev_1.3.8-1lenny4_i386.deb
libcups2_1.3.8-1lenny4_i386.deb
  to pool/main/c/cups/libcups2_1.3.8-1lenny4_i386.deb
libcupsimage2-dev_1.3.8-1lenny4_i386.deb
  to pool/main/c/cups/libcupsimage2-dev_1.3.8-1lenny4_i386.deb
libcupsimage2_1.3.8-1lenny4_i386.deb
  to pool/main/c/cups/libcupsimage2_1.3.8-1lenny4_i386.deb
libcupsys2-dev_1.3.8-1lenny4_all.deb
  to pool/main/c/cups/libcupsys2-dev_1.3.8-1lenny4_all.deb
libcupsys2_1.3.8-1lenny4_all.deb
  to pool/main/c/cups/libcupsys2_1.3.8-1lenny4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 507183@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 01 Dec 2008 17:33:18 -0800
Source: cups
Binary: libcups2 libcupsimage2 cups cups-client libcups2-dev libcupsimage2-dev cups-bsd cups-common cups-dbg cupsys cupsys-client cupsys-common cupsys-bsd cupsys-dbg libcupsys2 libcupsys2-dev
Architecture: source all i386
Version: 1.3.8-1lenny4
Distribution: unstable
Urgency: high
Maintainer: Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 cups       - Common UNIX Printing System(tm) - server
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-dbg   - Common UNIX Printing System(tm) - debugging symbols
 cupsys     - Common UNIX Printing System (transitional package)
 cupsys-bsd - Common UNIX Printing System (transitional package)
 cupsys-client - Common UNIX Printing System (transitional package)
 cupsys-common - Common UNIX Printing System (transitional package)
 cupsys-dbg - Common UNIX Printing System (transitional package)
 libcups2   - Common UNIX Printing System(tm) - libs
 libcups2-dev - Common UNIX Printing System(tm) - development files
 libcupsimage2 - Common UNIX Printing System(tm) - image libs
 libcupsimage2-dev - Common UNIX Printing System(tm) - image development files
 libcupsys2 - Common UNIX Printing System (transitional package)
 libcupsys2-dev - Common UNIX Printing System (transitional package)
Closes: 507183
Changes: 
 cups (1.3.8-1lenny4) unstable; urgency=high
 .
   * High urgency due to security bug fix.
   * Add png-image-int-overflow.dpatch: Fix integer overflow in the PNG image
     reader (Closes: #507183, STR #2974, CVE-2008-5286)
Checksums-Sha1: 
 b8dee8a0c156342e69311c3421b50c026d800623 1833 cups_1.3.8-1lenny4.dsc
 4ac6dfd579c7e03e4a333928a2925f6746f6d560 182791 cups_1.3.8-1lenny4.diff.gz
 fe3e44475bebbd5bf2727a1cca6ea9c006d8bf63 1174844 cups-common_1.3.8-1lenny4_all.deb
 5f3609f86918209de2dbf4b4b883443f87a5ce14 51712 cupsys_1.3.8-1lenny4_all.deb
 e4aae02a448ad56cf02b54837f8cac5540419415 51736 cupsys-client_1.3.8-1lenny4_all.deb
 2b8dd2de4dc61746971b23b9f13d3fdd42d03465 51736 cupsys-common_1.3.8-1lenny4_all.deb
 94cebaf00e6553facc5b3d93fe2ccc1cdecc22a4 51730 cupsys-bsd_1.3.8-1lenny4_all.deb
 6a64646409a04343a36e30c4b34fb4706e19fd41 51728 cupsys-dbg_1.3.8-1lenny4_all.deb
 47b1fbdcede7420947c4a441cb6549d802a4879e 51732 libcupsys2_1.3.8-1lenny4_all.deb
 a8419816a40b9c4cb258d6e52dd245fb5369a5e6 51744 libcupsys2-dev_1.3.8-1lenny4_all.deb
 be7fea224e3860c4cba9903937d50fc92fde4fe6 164134 libcups2_1.3.8-1lenny4_i386.deb
 f88b6bc78cf6f36da7d27bdc4d9919b537aaa89b 98840 libcupsimage2_1.3.8-1lenny4_i386.deb
 b971c751e77b24b1b9961271294135c77bc2b5ba 2046998 cups_1.3.8-1lenny4_i386.deb
 2f94a730b206339f375ec60e58bf4130c4627ba9 114872 cups-client_1.3.8-1lenny4_i386.deb
 cc8e5faddeb5be963edbe06ef08b7549962c00f1 393746 libcups2-dev_1.3.8-1lenny4_i386.deb
 0981cbc5af1458ab119d05604ffc454ec9805362 60374 libcupsimage2-dev_1.3.8-1lenny4_i386.deb
 2bda7e77633fa2504b69c323aa1c818ea2761168 36478 cups-bsd_1.3.8-1lenny4_i386.deb
 12acdee13ddcfa8d91b18384f84467c333adfca4 1085132 cups-dbg_1.3.8-1lenny4_i386.deb
Checksums-Sha256: 
 ee37fd7a2106e17e506b90185504f18eb50ebad2bb22a8f0ede64629d9b4dee6 1833 cups_1.3.8-1lenny4.dsc
 99756ee19b22ad00cd7bdef91145ee5c12a9f4254230c82b8bcf7d3c0fb5e6b2 182791 cups_1.3.8-1lenny4.diff.gz
 545809f1b9e37559aaae5467bbfec1a66cf007beb018b200b2460cf7384b123a 1174844 cups-common_1.3.8-1lenny4_all.deb
 c81d2bc09a0ffffc82d4c47628ac3e47de945617cbc17c76888a9ec94c15b8b9 51712 cupsys_1.3.8-1lenny4_all.deb
 2cf2083d7ad9586a5a9692a31aa00b842ae81719fef9cbc7a69c47d13f4fbbdb 51736 cupsys-client_1.3.8-1lenny4_all.deb
 7856a5ec98b1d4e42fd7347061aa284b07734bf9e982276b97912490b7a894be 51736 cupsys-common_1.3.8-1lenny4_all.deb
 cd3d6bfe778c5e4c58ce8555ff6652d4bd33194af9d271c09254df9a08a2c9fa 51730 cupsys-bsd_1.3.8-1lenny4_all.deb
 b13b2a43491f33e9fc763aa7d4c0293a35cf904fc9f71e493e845804a5068714 51728 cupsys-dbg_1.3.8-1lenny4_all.deb
 ff4ed9e2738a8a3dca6fc9b2ed4e85ee91dba19454d8b06e0ee84631754d78cf 51732 libcupsys2_1.3.8-1lenny4_all.deb
 bcb6d7a3ff0455a8598df63113a318f7845bcfd4cab8d4a3a3497f43c7ed787d 51744 libcupsys2-dev_1.3.8-1lenny4_all.deb
 1982ebf6f89acdebc5674a943f8623bed7aad1d052ced56f7fc49d6202685a89 164134 libcups2_1.3.8-1lenny4_i386.deb
 5474389effd3bc1ea8fa739437148d12fe1f34a504a63fdffee0e89d8fe497f6 98840 libcupsimage2_1.3.8-1lenny4_i386.deb
 9882f6e6166795b01a00e6e16897fb8576aac9cf5eaf1a391ac823d12effa235 2046998 cups_1.3.8-1lenny4_i386.deb
 8d4e3199753909077d5d6d2206c92c979b6a08975cbc4844001b0f52b454d7a0 114872 cups-client_1.3.8-1lenny4_i386.deb
 e31352b0b5ab5292b130bdb7e95dd926d3054165418cca48e034c97831e0b6a0 393746 libcups2-dev_1.3.8-1lenny4_i386.deb
 af5e5a888301a8b519b9674a9b494303727e91c1869ecec6f9c9de858d29fa49 60374 libcupsimage2-dev_1.3.8-1lenny4_i386.deb
 c3d59e4707e91504887b87a2ffb4f5cc7535081b3574b545431012f083d3f66e 36478 cups-bsd_1.3.8-1lenny4_i386.deb
 b2321ce54ca6a8405d10f4e02692303ff8d8a797bcd480e5490404b9f8c35bc3 1085132 cups-dbg_1.3.8-1lenny4_i386.deb
Files: 
 23c9531d0b759ccce0501be006e4d423 1833 net optional cups_1.3.8-1lenny4.dsc
 83fc53f65f54638c77a93516708e26e6 182791 net optional cups_1.3.8-1lenny4.diff.gz
 d4c95b74d05c479e63d675f3796f0581 1174844 net optional cups-common_1.3.8-1lenny4_all.deb
 c18b68ff56dd95fe9275d7004928c8fc 51712 oldlibs extra cupsys_1.3.8-1lenny4_all.deb
 a9bfc989cee5426b1c65fbb70078f7ce 51736 oldlibs extra cupsys-client_1.3.8-1lenny4_all.deb
 ccce8e48eb5040a0194d246607be85d7 51736 oldlibs extra cupsys-common_1.3.8-1lenny4_all.deb
 53c4153a5c4b4174dbe811c48d025b9b 51730 oldlibs extra cupsys-bsd_1.3.8-1lenny4_all.deb
 0e7b5d8769819ce27d204b4868d22add 51728 oldlibs extra cupsys-dbg_1.3.8-1lenny4_all.deb
 3585607e87d56afe20cd61912f93acbf 51732 oldlibs extra libcupsys2_1.3.8-1lenny4_all.deb
 9ac38d77f6af4fa9f5bb48a9947b7dd5 51744 oldlibs extra libcupsys2-dev_1.3.8-1lenny4_all.deb
 282513036466e11079b56ca2b576f59f 164134 libs optional libcups2_1.3.8-1lenny4_i386.deb
 6a0789b7b3ba1ec3196cfb17016ed1dd 98840 libs optional libcupsimage2_1.3.8-1lenny4_i386.deb
 305038d5f8d1355f00e9b8b351d8dff3 2046998 net optional cups_1.3.8-1lenny4_i386.deb
 bf9bd76781de078f407fb6cbdd61f16b 114872 net optional cups-client_1.3.8-1lenny4_i386.deb
 f2b5e0a2e56eade2dd945610df002bb5 393746 libdevel optional libcups2-dev_1.3.8-1lenny4_i386.deb
 1ebadd83ae7e7955e1a9e74d3460d0d5 60374 libdevel optional libcupsimage2-dev_1.3.8-1lenny4_i386.deb
 13d9a59014857c92a03a3d7087bae0ca 36478 net extra cups-bsd_1.3.8-1lenny4_i386.deb
 32ced52002eb3019d49ad75bca31869a 1085132 libdevel extra cups-dbg_1.3.8-1lenny4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkk0kmQACgkQDecnbV4Fd/L7PwCgwdN0tkqJhxkWilQoHSsQ2iJF
VZoAoLqzCnWM66Kiz5Ddq9jLwgaVui0P
=WnyL
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: cups override disparity
Next by Date: Accepted cups 1.3.8-1lenny4 (source all i386)
Previous by thread: Bug#507183: marked as done (cups: integer overflow via validation code in of the image size)
Next by thread: Bug#507183: marked as done (cups: integer overflow via validation code in of the image size)
Index(es):
- Date
- Thread