Bug#535489: [Pkg-cups-devel] Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities
On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:
> Hello Michael,
> Michael S. Gilbert [2009-07-02 12:35 -0400]:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for cups.
> > CVE-2009-0791:
> > | Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
> > | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
> > | (application crash) or possibly execute arbitrary code via a crafted
> > | PDF file that triggers a heap-based buffer overflow, possibly related
> > | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
> > | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the
> > | JBIG2Stream.cxx vector may overlap CVE-2009-1179.
> This vulnerability does not affect cups. Because xpdf vulnerabilities
> are so common, the Debian cups package has used the external
> xpdf-utils or poppler-utils since at least woody.
are you sure about this? i've checked the etch cupsys and lenny cups
packages and found that the pdftops source is indeed present (and the
patches for this are not applied). the only way i see this as not
affected is if these packages do not build the pdftops code. i am not
that familiar with the package, so i did not check whether this is the
case. i've checked the unstable cups package and the pdftops code is
in fact removed there.