cups: CVE-2014-9679

Debian Bug report logs - #778387
cups: CVE-2014-9679

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2014-9679

Date: Sat, 14 Feb 2015 14:24:43 +0100

Package: cups
Severity: grave
Tags: security

This was assigned CVE-2014-9679 and is fixed in experimental
already: https://www.cups.org/str.php?L4551

Cheers,
        Moritz

Message #22 received at 778387-done@bugs.debian.org (full text, mbox, reply):

From: Didier 'OdyX' Raboud <odyx@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 778387-done@bugs.debian.org

Subject: Re: Bug#778387: CVE-2014-9679

Date: Mon, 16 Feb 2015 09:59:21 +0100

[Message part 1 (text/plain, inline)]

Version: 2.0.2-1
Control: tags -1 +patch

Hi Moritz, and thanks for the heads'up.

Le samedi, 14 février 2015 14.24:43, vous avez écrit :
> This was assigned CVE-2014-9679 and is fixed in experimental
> already: https://www.cups.org/str.php?L4551

Here would be the patch for wheezy-security, can I upload ? I'll upload 
to unstable straight away with the same patch.

Cheers,
OdyX

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 778387-close@bugs.debian.org (full text, mbox, reply):

From: Didier Raboud <odyx@debian.org>

To: 778387-close@bugs.debian.org

Subject: Bug#778387: fixed in cups 1.7.5-11

Date: Mon, 16 Feb 2015 15:35:00 +0000

Source: cups
Source-Version: 1.7.5-11

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778387@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 16 Feb 2015 08:19:17 +0100
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsmime1 libcupsppdc1 cups cups-core-drivers cups-daemon cups-client libcups2-dev libcupsimage2-dev libcupscgi1-dev libcupsmime1-dev libcupsppdc1-dev cups-bsd cups-common cups-server-common cups-ppdc cups-dbg
Architecture: source all
Version: 1.7.5-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
 cups       - Common UNIX Printing System(tm) - PPD/driver support, web interfa
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-core-drivers - Common UNIX Printing System(tm) - PPD-less printing
 cups-daemon - Common UNIX Printing System(tm) - daemon
 cups-dbg   - Common UNIX Printing System(tm) - debugging symbols
 cups-ppdc  - Common UNIX Printing System(tm) - PPD manipulation utilities
 cups-server-common - Common UNIX Printing System(tm) - server common files
 libcups2   - Common UNIX Printing System(tm) - Core library
 libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
 libcupscgi1 - Common UNIX Printing System(tm) - CGI library
 libcupscgi1-dev - Common UNIX Printing System(tm) - Development files for CGI libra
 libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
 libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
 libcupsmime1 - Common UNIX Printing System(tm) - MIME library
 libcupsmime1-dev - Common UNIX Printing System(tm) - Development files MIME library
 libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
 libcupsppdc1-dev - Common UNIX Printing System(tm) - Development files PPD library
Closes: 778387
Changes:
 cups (1.7.5-11) unstable; urgency=medium
 .
   * Backport upstream patch to fix cupsRasterReadPixels buffer overflow with
     invalid page header and compressed raster data
     (STR: #4551, Closes: #778387)
Checksums-Sha1:
 0d06c04f7f61af881e9a100445d54aa74af09399 3422 cups_1.7.5-11.dsc
 bf4f69bcd046a466abe3a48c43700334a028f64a 299988 cups_1.7.5-11.debian.tar.xz
 1089a8e354d35a7bd26dc1ae786b8a83a418477b 273296 cups-common_1.7.5-11_all.deb
 12f8f4f912f5be905a00d56a462531a6fcb94842 617716 cups-server-common_1.7.5-11_all.deb
Checksums-Sha256:
 4ebab03610537e2649fb148c2cf912fb863e93d741dcf531903fc74c12013864 3422 cups_1.7.5-11.dsc
 6c45561b13b1212df32c9932ee6da439e0f4b2c232b16def4b1ef4176e0d0f4f 299988 cups_1.7.5-11.debian.tar.xz
 1e79213e95efdf6ab0bc271208be0511e64a312a7c0a49c469960e19327f4a49 273296 cups-common_1.7.5-11_all.deb
 e06c7fb0075e6ee2677052aba4befcc6a7cedf58dbd8e8b938604baac1d21dcc 617716 cups-server-common_1.7.5-11_all.deb
Files:
 7f2e3eea3e1d002892aa6b15d2e174c7 3422 net optional cups_1.7.5-11.dsc
 8394c078f90712e4ef15fce902245247 299988 net optional cups_1.7.5-11.debian.tar.xz
 c650b71fccf7b0179b1bbd8724ab011b 273296 net optional cups-common_1.7.5-11_all.deb
 d549c0ad7d09ae9e463d91ac801527dc 617716 net optional cups-server-common_1.7.5-11_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJU4gD+AAoJEIvPpx7KFjRVeuUMAIcEip5uYhTQXmKt2jIUlJlZ
okdymdlrzTgliAmE9ACBujl0NOLzK7ZL5k6gw4VdpIh4qFCQjWVDonsTe6urlFy4
VBS0EBDailAmvF+h7Ug/EIa2dwubTN6kk/GmSNs/nY7bfRNiIas6Q5hakJNxKARj
WDaxydruHpSXReCsn+JPePdKKsDUCSQpGAh7wdGZYjsyIZNvNAcLubUYdwmhRKzK
CXlQitJ6a6ZGZEixSaHg+5EJcqp5M99A1gNiV0o+LIsWwWdjGSq84f2pjSEcSUKL
SUvua56X+cemWtaNBc5LqFi2w+MPTfZutsWZgTi9QHtNByOEPkLdvI9YoT3V/pTf
Z1Go76yH6ag0XJd+FbbNHkX99n9bDbl8EkuUBW7ydkdoQBeVhNfNE6W+10KXn06q
2XZpSl6d1A44y68Ggho8POrYQu6b9nP/Fa8xpzFDRGyhMpSHE2B7TNbvO7ECPa7D
U58MZr+UzuGDW2pnW2RrEOR5YgO1db+d+X3mRnIeGw==
=Bg/K
-----END PGP SIGNATURE-----

Message #32 received at 778387@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>

Cc: debian-lts@lists.debian.org, Didier Raboud <odyx@debian.org>, 778387@bugs.debian.org

Subject: squeeze update of cups?

Date: Mon, 23 Feb 2015 11:58:33 +0100

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/CVE-2014-9679

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #37 received at 778387@bugs.debian.org (full text, mbox, reply):

From: Didier 'OdyX' Raboud <odyx@debian.org>

To: debian-lts@lists.debian.org, 778387@bugs.debian.org

Cc: Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>

Subject: Re: squeeze update of cups?

Date: Mon, 23 Feb 2015 18:38:15 +0100

[Message part 1 (text/plain, inline)]

Hi,

Le lundi, 23 février 2015, 11.58:33 Raphael Hertzog a écrit :
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of your package:
> https://security-tracker.debian.org/tracker/CVE-2014-9679
> 
> Would you like to take care of this yourself?
> 
> If yes, please follow the workflow we have defined here:
> http://wiki.debian.org/LTS/Development

I will, but keep in mind that we're still discussing the Wheezy patch 
with the security team, so I'd like to get that fixed too (ideally 
first).

That said, the part from the upstream patch that we're discussing 
doesn't apply to Squeeze(-LTS), so we might as well upload the patch as-
is.

Proposed debdiff attached.

Cheers
OdyX

[s.ddiff (text/x-patch, attachment)]

Message #42 received at 778387@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: pkg-cups-devel@lists.alioth.debian.org

Cc: debian-lts@lists.debian.org, 778387@bugs.debian.org

Subject: Re: squeeze update of cups?

Date: Fri, 27 Feb 2015 03:17:43 +0000

[Message part 1 (text/plain, inline)]

On Mon, 2015-02-23 at 18:38 +0100, Didier 'OdyX' Raboud wrote:
> Hi,
> 
> Le lundi, 23 février 2015, 11.58:33 Raphael Hertzog a écrit :
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of your package:
> > https://security-tracker.debian.org/tracker/CVE-2014-9679
> > 
> > Would you like to take care of this yourself?
> > 
> > If yes, please follow the workflow we have defined here:
> > http://wiki.debian.org/LTS/Development
> 
> I will, but keep in mind that we're still discussing the Wheezy patch 
> with the security team, so I'd like to get that fixed too (ideally 
> first).
> 
> That said, the part from the upstream patch that we're discussing 
> doesn't apply to Squeeze(-LTS), so we might as well upload the patch as-
> is.
>
> Proposed debdiff attached.

This does not fix the bug!

Ben.

-- 
Ben Hutchings
It is easier to write an incorrect program than to understand a correct one.

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 778387@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: pkg-cups-devel@lists.alioth.debian.org

Cc: debian-lts@lists.debian.org, 778387@bugs.debian.org

Subject: Re: squeeze update of cups?

Date: Fri, 27 Feb 2015 04:39:08 +0000

[Message part 1 (text/plain, inline)]

On Fri, 2015-02-27 at 03:17 +0000, Ben Hutchings wrote:
> On Mon, 2015-02-23 at 18:38 +0100, Didier 'OdyX' Raboud wrote:
> > Hi,
> > 
> > Le lundi, 23 février 2015, 11.58:33 Raphael Hertzog a écrit :
> > > the Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of your package:
> > > https://security-tracker.debian.org/tracker/CVE-2014-9679
> > > 
> > > Would you like to take care of this yourself?
> > > 
> > > If yes, please follow the workflow we have defined here:
> > > http://wiki.debian.org/LTS/Development
> > 
> > I will, but keep in mind that we're still discussing the Wheezy patch 
> > with the security team, so I'd like to get that fixed too (ideally 
> > first).
> > 
> > That said, the part from the upstream patch that we're discussing 
> > doesn't apply to Squeeze(-LTS), so we might as well upload the patch as-
> > is.
> >
> > Proposed debdiff attached.
> 
> This does not fix the bug!

I cherry-picked git commit 6c087a72a0708bcb7929955c75770ee364755c42
("Add some range checking (probably more to come) to avoid divide-by-0
errors."), after which the critical hunk of the patch for CVE-2014-9679
applied cleanly.  With Didier's original patch,

    zcat bogus.raster.gz | rastertohp foo bar baz 1 ''

still crashes (segmentation fault).  With the two patches applied, it
fails cleanly (no pages found).  I was still able to print a test page
(though I'm not certain that this uses the raster filter code in my
configuration).

So I've uploaded with those two patches applied.

Ben.

-- 
Ben Hutchings
It is easier to write an incorrect program than to understand a correct one.

[signature.asc (application/pgp-signature, inline)]

Message #52 received at 778387-close@bugs.debian.org (full text, mbox, reply):

From: Didier Raboud <odyx@debian.org>

To: 778387-close@bugs.debian.org

Subject: Bug#778387: fixed in cups 1.5.3-5+deb7u5

Date: Sat, 28 Feb 2015 18:02:07 +0000

Source: cups
Source-Version: 1.5.3-5+deb7u5

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778387@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 17 Feb 2015 08:24:04 +0100
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsdriver1 libcupsmime1 libcupsppdc1 cups cups-client libcups2-dev libcupsimage2-dev libcupscgi1-dev libcupsdriver1-dev libcupsmime1-dev libcupsppdc1-dev cups-bsd cups-common cups-ppdc cups-dbg cupsddk
Architecture: source all amd64
Version: 1.5.3-5+deb7u5
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description: 
 cups       - Common UNIX Printing System(tm) - server
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-dbg   - Common UNIX Printing System(tm) - debugging symbols
 cups-ppdc  - Common UNIX Printing System(tm) - PPD manipulation utilities
 cupsddk    - Common UNIX Printing System (transitional package)
 libcups2   - Common UNIX Printing System(tm) - Core library
 libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
 libcupscgi1 - Common UNIX Printing System(tm) - CGI library
 libcupscgi1-dev - Common UNIX Printing System(tm) - Development files for CGI libra
 libcupsdriver1 - Common UNIX Printing System(tm) - Driver library
 libcupsdriver1-dev - Common UNIX Printing System(tm) - Development files driver librar
 libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
 libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
 libcupsmime1 - Common UNIX Printing System(tm) - MIME library
 libcupsmime1-dev - Common UNIX Printing System(tm) - Development files MIME library
 libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
 libcupsppdc1-dev - Common UNIX Printing System(tm) - Development files PPD library
Closes: 778387
Changes: 
 cups (1.5.3-5+deb7u5) wheezy-security; urgency=high
 .
   * Backport upstream patch to fix cupsRasterReadPixels buffer overflow with
     invalid page header and compressed raster data
     (CVE-2014-9679, STR: #4551, Closes: #778387)
Checksums-Sha1: 
 4c0b2b9e3a5cad48ef07ad2bd7b69ed135b2f5b4 3260 cups_1.5.3-5+deb7u5.dsc
 9277e6ebd9ca55ec1a63598ecf972dd5de7794f3 376371 cups_1.5.3-5+deb7u5.debian.tar.gz
 eb8a51fcfe4809a867b25c2245fce04fd1d2abcc 903580 cups-common_1.5.3-5+deb7u5_all.deb
 4b03c9687a5374abca5282b23cfdec5614dd152c 87268 cupsddk_1.5.3-5+deb7u5_all.deb
 81b3b671ca4e60b8cc9ff4c0720c5c187b1753c9 255574 libcups2_1.5.3-5+deb7u5_amd64.deb
 2d830c3caaeb9e198c46d6c5687b811a53d4f90d 137942 libcupsimage2_1.5.3-5+deb7u5_amd64.deb
 df9683bd74fff75b9780fe7ca2254c192a4eade1 116216 libcupscgi1_1.5.3-5+deb7u5_amd64.deb
 0d2e4a1d9097c45f147baf1739c2b36b30809fa3 104184 libcupsdriver1_1.5.3-5+deb7u5_amd64.deb
 f3bae337c4730dc1ca83412ee398b258a107531c 99156 libcupsmime1_1.5.3-5+deb7u5_amd64.deb
 571a1bf5ceec034878203807db9ea2be2bbbfdff 139358 libcupsppdc1_1.5.3-5+deb7u5_amd64.deb
 b592b13fd4a6f324ec4f9001738a04ab37ac21c6 1402126 cups_1.5.3-5+deb7u5_amd64.deb
 fd38d1b0b13e0c9e017d1e7c28b574306c0d303a 181440 cups-client_1.5.3-5+deb7u5_amd64.deb
 f87af844dbe745a9da79cf3e7f8ba46ddb883e00 327758 libcups2-dev_1.5.3-5+deb7u5_amd64.deb
 bdbd64522b8820ac275939d2c973630051e73403 65374 libcupsimage2-dev_1.5.3-5+deb7u5_amd64.deb
 2ed3093344ce4de474daf6874ef0e44bd3aae947 122110 libcupscgi1-dev_1.5.3-5+deb7u5_amd64.deb
 8197e0c95a912989df30c63ea886614b27801877 107138 libcupsdriver1-dev_1.5.3-5+deb7u5_amd64.deb
 0db5dee35454251e1547e4342db79fccc2190bd1 99968 libcupsmime1-dev_1.5.3-5+deb7u5_amd64.deb
 33603755c4408198cd47bb14c7462c2210718141 156386 libcupsppdc1-dev_1.5.3-5+deb7u5_amd64.deb
 6bccbf6fc0e4d924532f705d4c5b3998fea962d8 47470 cups-bsd_1.5.3-5+deb7u5_amd64.deb
 404f457758c43fc40d140a5dd3f6a45c604475c8 116894 cups-ppdc_1.5.3-5+deb7u5_amd64.deb
 5c90dc24e36b63c404eab24e1d684d2c303557d2 2217998 cups-dbg_1.5.3-5+deb7u5_amd64.deb
Checksums-Sha256: 
 4d8265036c2e4a86d2245e9c836110406c5efee1275b6f2934152535c3ae4a76 3260 cups_1.5.3-5+deb7u5.dsc
 46d7f311a0b56623d0d2a78c75ce451649db5c6e637baa5c8ec4bcc426729536 376371 cups_1.5.3-5+deb7u5.debian.tar.gz
 8e02060de032fb1ca4133bd763521e3b125db815f55799c19b52741f4f019df7 903580 cups-common_1.5.3-5+deb7u5_all.deb
 9a9f2b4d2d38b0cccc2d6e6a3bfd7cf722b48438fe54b7af758f1986aaf7cd5e 87268 cupsddk_1.5.3-5+deb7u5_all.deb
 05f797a3659717a0f8245dabdd793320a84a61943a71445e68a4ed29ad80006e 255574 libcups2_1.5.3-5+deb7u5_amd64.deb
 52e55fab822fd67234d80e0265efe29a729ae2dd6e55e2aafef2c0b7aa1b8374 137942 libcupsimage2_1.5.3-5+deb7u5_amd64.deb
 1f40721abd771b6702817eacf10fd41d8b07dc20efeafa2cfd682629a69bf10c 116216 libcupscgi1_1.5.3-5+deb7u5_amd64.deb
 6d04004f4615d97baf54df015dc10559fc864769f25c36af2b6a0492a1aafb0b 104184 libcupsdriver1_1.5.3-5+deb7u5_amd64.deb
 a923d0a4cc9a654ccee80c9d4176cba1ca96a90ad077e1dfd6488f64103dfa0a 99156 libcupsmime1_1.5.3-5+deb7u5_amd64.deb
 f59294ee94777e174293ecb33b95969a2882367c5b9925d0d36abfcf16825e61 139358 libcupsppdc1_1.5.3-5+deb7u5_amd64.deb
 537334a46463e2e5329d89c284e8fd320622acd7b1afb26e71f5856c685f29f7 1402126 cups_1.5.3-5+deb7u5_amd64.deb
 5c910b4e8fb361b91812226df3e5687622be00dc6b0875876ee55558641911ba 181440 cups-client_1.5.3-5+deb7u5_amd64.deb
 63c9fff711e6d590421dc3557b68aae367e0f410716c337443ab55987b665256 327758 libcups2-dev_1.5.3-5+deb7u5_amd64.deb
 75837f3a2a0b41fc9bc0dc5d7e0e45ec1ea70485febc6450670b68d02559f99e 65374 libcupsimage2-dev_1.5.3-5+deb7u5_amd64.deb
 8588589f1e57cf4fd3d8c7ef21842c206b93afe09c7b3f0d3bb290de0a664231 122110 libcupscgi1-dev_1.5.3-5+deb7u5_amd64.deb
 0269f90e6fcd1069d3fa0222d83bf12ab3a26be578935bf803e344f2d0104947 107138 libcupsdriver1-dev_1.5.3-5+deb7u5_amd64.deb
 86e7d285c1503422591ad1253ae24438f1bdbc32c8ff746c8bcfd82ec8e4170d 99968 libcupsmime1-dev_1.5.3-5+deb7u5_amd64.deb
 6941b436910eaa9bedad79b7631e31306955791a33db5388d2475f053a51aed0 156386 libcupsppdc1-dev_1.5.3-5+deb7u5_amd64.deb
 fd704d103f99bd8ee7d35f7805b5f5f13bfa34d730557f11100891cbbe74fd53 47470 cups-bsd_1.5.3-5+deb7u5_amd64.deb
 36840ad94388ff3701d2e11d622225a9a7746b8ec8e32b2a3bef903057a1ffd3 116894 cups-ppdc_1.5.3-5+deb7u5_amd64.deb
 c8fdd5c8010fa9d087e32de2370d16df6f1f1ba2c67a220741fbefa90c905f62 2217998 cups-dbg_1.5.3-5+deb7u5_amd64.deb
Files: 
 519d1b48d83dd66978918abbedfebdf2 3260 net optional cups_1.5.3-5+deb7u5.dsc
 35016246d6df946be6dad2245f7a9ed7 376371 net optional cups_1.5.3-5+deb7u5.debian.tar.gz
 e6e31816b8cc59946ec0f2469bfdd7ff 903580 net optional cups-common_1.5.3-5+deb7u5_all.deb
 9be086187330281c49fb1583fb61adae 87268 oldlibs extra cupsddk_1.5.3-5+deb7u5_all.deb
 6d73277b00f7274ab59c7ff4aeef0929 255574 libs optional libcups2_1.5.3-5+deb7u5_amd64.deb
 28c6ada6956e6ddd9e5d975528d4bc60 137942 libs optional libcupsimage2_1.5.3-5+deb7u5_amd64.deb
 507a7c2e8efbf6910b118a0623286f21 116216 libs optional libcupscgi1_1.5.3-5+deb7u5_amd64.deb
 1f26556ac292d39af3951ecffe112fc2 104184 libs optional libcupsdriver1_1.5.3-5+deb7u5_amd64.deb
 9e1b7ba8d57b9771253d557a1d4448e0 99156 libs optional libcupsmime1_1.5.3-5+deb7u5_amd64.deb
 27f7b191616d6823216bae74bddf202f 139358 libs optional libcupsppdc1_1.5.3-5+deb7u5_amd64.deb
 82fe4c78c27d7575cce6b25ada4be501 1402126 net optional cups_1.5.3-5+deb7u5_amd64.deb
 819a94a4a674c298838340777b4463b9 181440 net optional cups-client_1.5.3-5+deb7u5_amd64.deb
 ca6697dd2f05849aa0ba1d1e01c70e0c 327758 libdevel optional libcups2-dev_1.5.3-5+deb7u5_amd64.deb
 c0feebef6ff9500da424fa8fde5f56f5 65374 libdevel optional libcupsimage2-dev_1.5.3-5+deb7u5_amd64.deb
 39d2aed53259d9e1cef6c8bf410ad0a7 122110 libdevel optional libcupscgi1-dev_1.5.3-5+deb7u5_amd64.deb
 704cde5ca2324e7692084c679107bd89 107138 libdevel optional libcupsdriver1-dev_1.5.3-5+deb7u5_amd64.deb
 f79648cc5bdf5f92154331d1985d588f 99968 libdevel optional libcupsmime1-dev_1.5.3-5+deb7u5_amd64.deb
 7c036c9c15aeea2bcd508316366e5830 156386 libdevel optional libcupsppdc1-dev_1.5.3-5+deb7u5_amd64.deb
 68e9592ffc5d6000d3b522911f12e9cb 47470 net extra cups-bsd_1.5.3-5+deb7u5_amd64.deb
 4c5ad00b48828543d297c6fb4de6f2b7 116894 utils optional cups-ppdc_1.5.3-5+deb7u5_amd64.deb
 99830db924b1f09da4f0f9975fc2509b 2217998 debug extra cups-dbg_1.5.3-5+deb7u5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJU7Z/CAAoJEIvPpx7KFjRVcPwL/REiaR6f9HMAhNmvNRNoEpaD
fPeAF6X10qXiGQPgStlFFqxsFT7QDgnQu6J2GHOp9zta/cTwuNGFiwZcYBT8FW+k
2HY7w/m8u29kqtw7E8hFB2v1KWA+RFQE34nNHs6Dy0JaT/ZUDsJNpdsHt7hsAnLb
UY/pe7qFggOMPn0+8RBz/tYqDg/rzXz1QlpttQhrabZwNtaQnLBpS/FpFYGvXiV5
QuGmh0tdad/ulig337kBfNLTtaSqBSaGds90VCV4wn55msN4uJH23ndh/cRZa691
cmR7j6uw8cKb41MTKLmrnSW6F9rxbvFCES+FUCnC0KRWsR2F6WvXGzOUH48wfocg
7M6mSX5kdtczXhCap+rjWf63agcXnmY7J5waEEYdlkt9vBi4EVPrl+OaHW/1Z1UE
l5abP1r44UiVXSmZGeo1sCgm1a807LC11136IK8SJi9EjzDCLS+kFIq/rEqxeuRL
dwW0YnV90TYDK+EFx/v/zOw9yizQIk7BXATn0GLFTA==
=ZWcs
-----END PGP SIGNATURE-----

Message #57 received at 778387@bugs.debian.org (full text, mbox, reply):

From: Didier 'OdyX' Raboud <odyx@debian.org>

To: debian-lts@lists.debian.org

Cc: Ben Hutchings <ben@decadent.org.uk>, pkg-cups-devel@lists.alioth.debian.org, 778387@bugs.debian.org

Subject: Re: squeeze update of cups?

Date: Wed, 04 Mar 2015 22:25:12 +0100

[Message part 1 (text/plain, inline)]

Le vendredi, 27 février 2015, 04.39:08 Ben Hutchings a écrit :
> On Fri, 2015-02-27 at 03:17 +0000, Ben Hutchings wrote:
> > This does not fix the bug!
> 
> I cherry-picked git commit 6c087a72a0708bcb7929955c75770ee364755c42
> ("Add some range checking (probably more to come) to avoid divide-by-0
> errors."), after which the critical hunk of the patch for
> CVE-2014-9679 applied cleanly.  With Didier's original patch,
> 
>     zcat bogus.raster.gz | rastertohp foo bar baz 1 ''
> 
> still crashes (segmentation fault).  With the two patches applied, it
> fails cleanly (no pages found).  I was still able to print a test page
> (though I'm not certain that this uses the raster filter code in my
> configuration).
> 
> So I've uploaded with those two patches applied.

Thanks! I've now updated the VCS with your patches.

http://anonscm.debian.org/cgit/printing/cups.git/log/?h=master-squeeze-lts

OdyX

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.