Bug#535488: marked as done (cupsys: CVE-2009-0791 integer overflow vulnerabilities)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 11 Jul 2009 17:20:46 +0200
with message-id <20090711152045.GC3438@piware.de>
and subject line Re: [Pkg-cups-devel] Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities
has caused the Debian Bug report #535488,
regarding cupsys: CVE-2009-0791 integer overflow vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
535488: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535488
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: cupsys: CVE-2009-0791 integer overflow vulnerabilities
• From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
• Date: Thu, 2 Jul 2009 12:35:53 -0400
• Message-id: <[🔎] 20090702123553.e611ad63.michael.s.gilbert@gmail.com>

Package: cupsys
Version: 1.2.7-4etch6
Severity: serious
Tags: security , patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.

CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
| (application crash) or possibly execute arbitrary code via a crafted
| PDF file that triggers a heap-based buffer overflow, possibly related
| to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
| JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/.  NOTE: the
| JBIG2Stream.cxx vector may overlap CVE-2009-1179.

See redhat bug for patch [1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791
    http://security-tracker.debian.net/tracker/CVE-2009-0791
[1] https://bugzilla.redhat.com/show_bug.cgi?id=491840

--- End Message ---

--- Begin Message ---

• To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 535488-done@bugs.debian.org, 535489-done@bugs.debian.org
• Subject: Re: [Pkg-cups-devel] Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities
• From: Martin Pitt <mpitt@debian.org>
• Date: Sat, 11 Jul 2009 17:20:46 +0200
• Message-id: <20090711152045.GC3438@piware.de>
• In-reply-to: <[🔎] 20090702123559.092d2f57.michael.s.gilbert@gmail.com> <[🔎] 20090702123553.e611ad63.michael.s.gilbert@gmail.com>

Hello Michael,

Michael S. Gilbert [2009-07-02 12:35 -0400]:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for cups.
> 
> CVE-2009-0791[0]:
> | Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
> | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
> | (application crash) or possibly execute arbitrary code via a crafted
> | PDF file that triggers a heap-based buffer overflow, possibly related
> | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
> | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/.  NOTE: the
> | JBIG2Stream.cxx vector may overlap CVE-2009-1179.

This vulnerability does not affect cups. Because xpdf vulnerabilities
are so common, the Debian cups package has used the external
xpdf-utils or poppler-utils since at least woody.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

--- End Message ---