cupsys: CVE-2009-0791 integer overflow vulnerabilities

Debian Bug report logs - #535488
cupsys: CVE-2009-0791 integer overflow vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: cupsys: CVE-2009-0791 integer overflow vulnerabilities

Date: Thu, 2 Jul 2009 12:35:53 -0400

Package: cupsys
Version: 1.2.7-4etch6
Severity: serious
Tags: security , patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.

CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
| (application crash) or possibly execute arbitrary code via a crafted
| PDF file that triggers a heap-based buffer overflow, possibly related
| to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
| JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/.  NOTE: the
| JBIG2Stream.cxx vector may overlap CVE-2009-1179.

See redhat bug for patch [1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791
    http://security-tracker.debian.net/tracker/CVE-2009-0791
[1] https://bugzilla.redhat.com/show_bug.cgi?id=491840

Message #10 received at 535488-done@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 535488-done@bugs.debian.org, 535489-done@bugs.debian.org

Subject: Re: [Pkg-cups-devel] Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities

Date: Sat, 11 Jul 2009 17:20:46 +0200

Hello Michael,

Michael S. Gilbert [2009-07-02 12:35 -0400]:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for cups.
> 
> CVE-2009-0791[0]:
> | Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
> | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
> | (application crash) or possibly execute arbitrary code via a crafted
> | PDF file that triggers a heap-based buffer overflow, possibly related
> | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
> | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/.  NOTE: the
> | JBIG2Stream.cxx vector may overlap CVE-2009-1179.

This vulnerability does not affect cups. Because xpdf vulnerabilities
are so common, the Debian cups package has used the external
xpdf-utils or poppler-utils since at least woody.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Message #15 received at 535488@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: 535488@bugs.debian.org, 535489@bugs.debian.org, control@bugs.debian.org

Subject: Re: [Pkg-cups-devel] Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities

Date: Sun, 12 Jul 2009 17:29:40 -0400

reopen 535488
reopen 535489
thanks

On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:

> Hello Michael,
> 
> Michael S. Gilbert [2009-07-02 12:35 -0400]:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for cups.
> > 
> > CVE-2009-0791[0]:
> > | Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
> > | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
> > | (application crash) or possibly execute arbitrary code via a crafted
> > | PDF file that triggers a heap-based buffer overflow, possibly related
> > | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
> > | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/.  NOTE: the
> > | JBIG2Stream.cxx vector may overlap CVE-2009-1179.
> 
> This vulnerability does not affect cups. Because xpdf vulnerabilities
> are so common, the Debian cups package has used the external
> xpdf-utils or poppler-utils since at least woody.

are you sure about this?  i've checked the etch cupsys and lenny cups
packages and found that the pdftops source is indeed present (and the
patches for this are not applied).  the only way i see this as not
affected is if these packages do not build the pdftops code.  i am not
that familiar with the package, so i did not check whether this is the
case.  i've checked the unstable cups package and the pdftops code is
in fact removed there.

mike

Message #22 received at 535488-done@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 535489-done@bugs.debian.org, 535488-done@bugs.debian.org

Subject: Re: [Pkg-cups-devel] Bug#535489: Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities

Date: Mon, 13 Jul 2009 08:10:24 +0200

Hello Michael,

Michael S. Gilbert [2009-07-12 17:29 -0400]:
> are you sure about this?  i've checked the etch cupsys and lenny cups
> packages and found that the pdftops source is indeed present

Yes, the orig.tar.gz ships it. But it's not build and used,
see debian/patches/pdftops-cups-1.4.dpatch in the lenny source. In
etch, debian/rules has --disable-pdftops and installs debian/pdftops
instead (which is a small wrapper for xpdf-utils' or poppler-utils').

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Message #23 received at 535488-done@bugs.debian.org (full text, mbox, reply):

From: Martin-Éric Racine <q-funk@iki.fi>

To: 535488-done@bugs.debian.org

Cc: 535489-done@bugs.debian.org

Subject: Re: [Pkg-cups-devel] Bug#535488: Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities

Date: Mon, 13 Jul 2009 10:10:45 +0300

On Mon, Jul 13, 2009 at 12:29 AM, Michael S.
Gilbert<michael.s.gilbert@gmail.com> wrote:
> reopen 535488
> reopen 535489
> thanks
>
> On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:
>
>> Hello Michael,
>>
>> Michael S. Gilbert [2009-07-02 12:35 -0400]:
>> > Hi,
>> > the following CVE (Common Vulnerabilities & Exposures) id was
>> > published for cups.
>> >
>> > CVE-2009-0791[0]:
>> > | Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
>> > | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
>> > | (application crash) or possibly execute arbitrary code via a crafted
>> > | PDF file that triggers a heap-based buffer overflow, possibly related
>> > | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
>> > | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/.  NOTE: the
>> > | JBIG2Stream.cxx vector may overlap CVE-2009-1179.
>>
>> This vulnerability does not affect cups. Because xpdf vulnerabilities
>> are so common, the Debian cups package has used the external
>> xpdf-utils or poppler-utils since at least woody.
>
> are you sure about this?  i've checked the etch cupsys and lenny cups
> packages and found that the pdftops source is indeed present (and the
> patches for this are not applied).  the only way i see this as not
> affected is if these packages do not build the pdftops code.  i am not
> that familiar with the package, so i did not check whether this is the
> case.  i've checked the unstable cups package and the pdftops code is
> in fact removed there.

Yes, we are sure. We have been using external xpdf-utils, then
poppler-utils components for ages, precisely to avoid constantly
patching CUPS for xpdf/poppler issues. FWIW, we content that CUPS
should not ship with copies of the xpdf/poppler code in the first
place, precisely because of this.

Martin-Éric

Send a report that this bug log contains spam.