Debian Bug report logs -
#535488
cupsys: CVE-2009-0791 integer overflow vulnerabilities
Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Thu, 2 Jul 2009 16:39:02 UTC
Severity: serious
Tags: patch, security
Found in version cupsys/1.2.7-4etch6
Done: Martin Pitt <mpitt@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
:
Bug#535488
; Package cupsys
.
(Thu, 02 Jul 2009 16:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
.
(Thu, 02 Jul 2009 16:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cupsys
Version: 1.2.7-4etch6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.
CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
| (application crash) or possibly execute arbitrary code via a crafted
| PDF file that triggers a heap-based buffer overflow, possibly related
| to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
| JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the
| JBIG2Stream.cxx vector may overlap CVE-2009-1179.
See redhat bug for patch [1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791
http://security-tracker.debian.net/tracker/CVE-2009-0791
[1] https://bugzilla.redhat.com/show_bug.cgi?id=491840
Reply sent
to Martin Pitt <mpitt@debian.org>
:
You have taken responsibility.
(Sat, 11 Jul 2009 15:30:03 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Sat, 11 Jul 2009 15:30:04 GMT) (full text, mbox, link).
Message #10 received at 535488-done@bugs.debian.org (full text, mbox, reply):
Hello Michael,
Michael S. Gilbert [2009-07-02 12:35 -0400]:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for cups.
>
> CVE-2009-0791[0]:
> | Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
> | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
> | (application crash) or possibly execute arbitrary code via a crafted
> | PDF file that triggers a heap-based buffer overflow, possibly related
> | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
> | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the
> | JBIG2Stream.cxx vector may overlap CVE-2009-1179.
This vulnerability does not affect cups. Because xpdf vulnerabilities
are so common, the Debian cups package has used the external
xpdf-utils or poppler-utils since at least woody.
Thanks,
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
:
Bug#535488
; Package cupsys
.
(Sun, 12 Jul 2009 21:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
.
(Sun, 12 Jul 2009 21:36:05 GMT) (full text, mbox, link).
Message #15 received at 535488@bugs.debian.org (full text, mbox, reply):
reopen 535488
reopen 535489
thanks
On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:
> Hello Michael,
>
> Michael S. Gilbert [2009-07-02 12:35 -0400]:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for cups.
> >
> > CVE-2009-0791[0]:
> > | Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
> > | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
> > | (application crash) or possibly execute arbitrary code via a crafted
> > | PDF file that triggers a heap-based buffer overflow, possibly related
> > | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
> > | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the
> > | JBIG2Stream.cxx vector may overlap CVE-2009-1179.
>
> This vulnerability does not affect cups. Because xpdf vulnerabilities
> are so common, the Debian cups package has used the external
> xpdf-utils or poppler-utils since at least woody.
are you sure about this? i've checked the etch cupsys and lenny cups
packages and found that the pdftops source is indeed present (and the
patches for this are not applied). the only way i see this as not
affected is if these packages do not build the pdftops code. i am not
that familiar with the package, so i did not check whether this is the
case. i've checked the unstable cups package and the pdftops code is
in fact removed there.
mike
Bug reopened, originator not changed.
Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Sun, 12 Jul 2009 21:36:09 GMT) (full text, mbox, link).
Reply sent
to Martin Pitt <mpitt@debian.org>
:
You have taken responsibility.
(Mon, 13 Jul 2009 06:21:06 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Mon, 13 Jul 2009 06:21:08 GMT) (full text, mbox, link).
Message #22 received at 535488-done@bugs.debian.org (full text, mbox, reply):
Hello Michael,
Michael S. Gilbert [2009-07-12 17:29 -0400]:
> are you sure about this? i've checked the etch cupsys and lenny cups
> packages and found that the pdftops source is indeed present
Yes, the orig.tar.gz ships it. But it's not build and used,
see debian/patches/pdftops-cups-1.4.dpatch in the lenny source. In
etch, debian/rules has --disable-pdftops and installs debian/pdftops
instead (which is a small wrapper for xpdf-utils' or poppler-utils').
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
Message #23 received at 535488-done@bugs.debian.org (full text, mbox, reply):
On Mon, Jul 13, 2009 at 12:29 AM, Michael S.
Gilbert<michael.s.gilbert@gmail.com> wrote:
> reopen 535488
> reopen 535489
> thanks
>
> On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:
>
>> Hello Michael,
>>
>> Michael S. Gilbert [2009-07-02 12:35 -0400]:
>> > Hi,
>> > the following CVE (Common Vulnerabilities & Exposures) id was
>> > published for cups.
>> >
>> > CVE-2009-0791[0]:
>> > | Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
>> > | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
>> > | (application crash) or possibly execute arbitrary code via a crafted
>> > | PDF file that triggers a heap-based buffer overflow, possibly related
>> > | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
>> > | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the
>> > | JBIG2Stream.cxx vector may overlap CVE-2009-1179.
>>
>> This vulnerability does not affect cups. Because xpdf vulnerabilities
>> are so common, the Debian cups package has used the external
>> xpdf-utils or poppler-utils since at least woody.
>
> are you sure about this? i've checked the etch cupsys and lenny cups
> packages and found that the pdftops source is indeed present (and the
> patches for this are not applied). the only way i see this as not
> affected is if these packages do not build the pdftops code. i am not
> that familiar with the package, so i did not check whether this is the
> case. i've checked the unstable cups package and the pdftops code is
> in fact removed there.
Yes, we are sure. We have been using external xpdf-utils, then
poppler-utils components for ages, precisely to avoid constantly
patching CUPS for xpdf/poppler issues. FWIW, we content that CUPS
should not ship with copies of the xpdf/poppler code in the first
place, precisely because of this.
Martin-Éric
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 10 Aug 2009 07:36:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:39:13 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.