[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#535488: marked as done (cupsys: CVE-2009-0791 integer overflow vulnerabilities)

Your message dated Mon, 13 Jul 2009 08:10:24 +0200
with message-id <20090713061024.GA3803@piware.de>
and subject line Re: [Pkg-cups-devel] Bug#535489: Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities
has caused the Debian Bug report #535488,
regarding cupsys: CVE-2009-0791 integer overflow vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

535488: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535488
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: cupsys
Version: 1.2.7-4etch6
Severity: serious
Tags: security , patch

the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.

| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
| (application crash) or possibly execute arbitrary code via a crafted
| PDF file that triggers a heap-based buffer overflow, possibly related
| to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
| JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/.  NOTE: the
| JBIG2Stream.cxx vector may overlap CVE-2009-1179.

See redhat bug for patch [1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791
[1] https://bugzilla.redhat.com/show_bug.cgi?id=491840

--- End Message ---
--- Begin Message ---
Hello Michael,

Michael S. Gilbert [2009-07-12 17:29 -0400]:
> are you sure about this?  i've checked the etch cupsys and lenny cups
> packages and found that the pdftops source is indeed present

Yes, the orig.tar.gz ships it. But it's not build and used,
see debian/patches/pdftops-cups-1.4.dpatch in the lenny source. In
etch, debian/rules has --disable-pdftops and installs debian/pdftops
instead (which is a small wrapper for xpdf-utils' or poppler-utils').

Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

--- End Message ---

Reply to: