[Pkg-cups-devel] xpdf problems present in CUPS
Martin Schulze
joey at infodrom.org
Wed Jan 11 19:33:13 UTC 2006
Hi,
CVE IDs : CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624
CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
"infamous41md" and Chris Evans discovered several heap based buffer
overflows in xpdf which are also present in CUPS, the Common UNIX
Printing System, and which can lead to a denial of service by crashing
the application or possibly to the execution of arbitrary code.
I'm attaching the patch we're going to use for the update of the
package in sarge. Please fix the package in sid, mention the
corresponding CVE names and let us know which version fixes these
problems.
Regards,
Joey
--
Never trust an operating system you don't have source for!
Please always Cc to me when replying to me on the lists.
-------------- next part --------------
Checking cupsys_1.1.23-10sarge1.diff.gz against stable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff -u cupsys-1.1.23/debian/patches/00list cupsys-1.1.23/debian/patches/00list
--- cupsys-1.1.23/debian/patches/00list
+++ cupsys-1.1.23/debian/patches/00list
@@ -25,0 +26 @@
+46_security_CAN-2005-3191.dpatch
diff -u cupsys-1.1.23/debian/changelog cupsys-1.1.23/debian/changelog
--- cupsys-1.1.23/debian/changelog
+++ cupsys-1.1.23/debian/changelog
@@ -1,3 +1,12 @@
+cupsys (1.1.23-10sarge1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied xpdf patch to fix buffer overflows [pdftops/Stream.cxx,
+ pdftops/Stream.h, CAN-2005-3191, CAN-2005-3192,
+ 46_security_CAN-2005-3191.dpatch]
+
+ -- Martin Schulze <joey at infodrom.org> Mon, 12 Dec 2005 10:55:23 +0100
+
cupsys (1.1.23-10) unstable; urgency=high
* Recovered http backend. -8 and -9 missed it. (closes: #305169)
only in patch2:
unchanged:
--- cupsys-1.1.23.orig/debian/patches/46_security_CAN-2005-3191.dpatch
+++ cupsys-1.1.23/debian/patches/46_security_CAN-2005-3191.dpatch
@@ -0,0 +1,134 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 46_security_CAN-2005-3191.dpatch by Joey Schulze <joey at infodrom.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixes buffer overflows, denoted as CAN-2005-3191 and CAN-2005-3192
+
+ at DPATCH@
+--- cupsys-1.1.23/pdftops/Stream.cxx.orig 2004-02-02 23:41:09.000000000 +0100
++++ cupsys-1.1.23/pdftops/Stream.cxx 2005-12-12 10:41:38.000000000 +0100
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -404,18 +405,41 @@ void ImageStream::skipLine() {
+
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ int widthA, int nCompsA, int nBitsA) {
++ int totalBits;
++
+ str = strA;
+ predictor = predictorA;
+ width = widthA;
+ nComps = nCompsA;
+ nBits = nBitsA;
++ predLine = NULL;
++ ok = gFalse;
+
++ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++ nComps >= INT_MAX/nBits ||
++ width >= INT_MAX/nComps/nBits) {
++ return;
++ }
+ nVals = width * nComps;
++ if (nVals + 7 <= 0) {
++ return;
++ }
++ totalBits = nVals * nBits;
++ if (totalBits == 0 ||
++ (totalBits / nBits) / nComps != width ||
++ totalBits + 7 < 0) {
++ return;
++ }
+ pixBytes = (nComps * nBits + 7) >> 3;
+- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++ if (rowBytes < 0) {
++ return;
++ }
+ predLine = (Guchar *)gmalloc(rowBytes);
+ memset(predLine, 0, rowBytes);
+ predIdx = rowBytes;
++
++ ok = gTrue;
+ }
+
+ StreamPredictor::~StreamPredictor() {
+@@ -991,6 +1015,10 @@ LZWStream::LZWStream(Stream *strA, int p
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+@@ -2891,6 +2919,10 @@ GBool DCTStream::readBaselineSOF() {
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
++ if (numComps <= 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2917,6 +2949,10 @@ GBool DCTStream::readProgressiveSOF() {
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
++ if (numComps <= 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2939,6 +2975,10 @@ GBool DCTStream::readScanInfo() {
+
+ length = read16() - 2;
+ scanInfo.numComps = str->getChar();
++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ --length;
+ if (length != 2 * scanInfo.numComps + 3) {
+ error(getPos(), "Bad DCT scan info block");
+@@ -3249,6 +3289,10 @@ FlateStream::FlateStream(Stream *strA, i
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+--- cupsys-1.1.23/pdftops/Stream.h.orig 2004-02-02 23:41:09.000000000 +0100
++++ cupsys-1.1.23/pdftops/Stream.h 2005-12-12 10:41:38.000000000 +0100
+@@ -231,6 +231,8 @@ public:
+
+ ~StreamPredictor();
+
++ GBool isOk() { return ok; }
++
+ int lookChar();
+ int getChar();
+
+@@ -248,6 +250,7 @@ private:
+ int rowBytes; // bytes per line
+ Guchar *predLine; // line buffer
+ int predIdx; // current index in predLine
++ GBool ok;
+ };
+
+ //------------------------------------------------------------------------
More information about the Pkg-cups-devel
mailing list