Bug#535489: marked as done (cups: CVE-2009-0791 integer overflow vulnerabilities)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 13 Jul 2009 08:10:24 +0200
with message-id <20090713061024.GA3803@piware.de>
and subject line Re: [Pkg-cups-devel] Bug#535489: Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities
has caused the Debian Bug report #535489,
regarding cups: CVE-2009-0791 integer overflow vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
535489: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535489
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: cups: CVE-2009-0791 integer overflow vulnerabilities
• From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
• Date: Thu, 2 Jul 2009 12:35:59 -0400
• Message-id: <[🔎] 20090702123559.092d2f57.michael.s.gilbert@gmail.com>

Package: cups
Version: 1.3.8-1+lenny6
Severity: serious
Tags: security , patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.

CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
| (application crash) or possibly execute arbitrary code via a crafted
| PDF file that triggers a heap-based buffer overflow, possibly related
| to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
| JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/.  NOTE: the
| JBIG2Stream.cxx vector may overlap CVE-2009-1179.

See redhat bug for patch [1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791
    http://security-tracker.debian.net/tracker/CVE-2009-0791
[1] https://bugzilla.redhat.com/show_bug.cgi?id=491840

--- End Message ---

--- Begin Message ---

• To: 535489-done@bugs.debian.org, 535488-done@bugs.debian.org
• Subject: Re: [Pkg-cups-devel] Bug#535489: Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities
• From: Martin Pitt <mpitt@debian.org>
• Date: Mon, 13 Jul 2009 08:10:24 +0200
• Message-id: <20090713061024.GA3803@piware.de>
• In-reply-to: <[🔎] 20090712172940.12f99ff2.michael.s.gilbert@gmail.com>
• References: <[🔎] 20090702123553.e611ad63.michael.s.gilbert@gmail.com> <20090711152045.GC3438@piware.de> <[🔎] 20090712172940.12f99ff2.michael.s.gilbert@gmail.com>

Hello Michael,

Michael S. Gilbert [2009-07-12 17:29 -0400]:
> are you sure about this?  i've checked the etch cupsys and lenny cups
> packages and found that the pdftops source is indeed present

Yes, the orig.tar.gz ships it. But it's not build and used,
see debian/patches/pdftops-cups-1.4.dpatch in the lenny source. In
etch, debian/rules has --disable-pdftops and installs debian/pdftops
instead (which is a small wrapper for xpdf-utils' or poppler-utils').

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

--- End Message ---