[Pkg-cups-devel] Bug#436099: CVE-2007-3387: Integer overflow in cupsys

Steffen Joeris steffen.joeris at skolelinux.de
Sun Aug 5 12:06:22 UTC 2007 

Package: cupsys
Version: 1.2.12-1
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

A vulnerability has been found in libpoppler and related
packages. From CVE-2007-3387:

"Integer overflow in the StreamPredictor::StreamPredictor function in
gpdf before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4)
kdegraphics, (5) CUPS, and other products, might allow remote
attackers to execute arbitrary code via a crafted PDF file."

Please mention the CVE id in the changelog.

A patch to fix this issue is attached below.
If you do not have the time, please give me permission to upload an
NMU.
Thanks for your efforts

Cheers
Steffen

diff -u cupsys-1.2.12/debian/patches/00list cupsys-1.2.12/debian/patches/00list
--- cupsys-1.2.12/debian/patches/00list
+++ cupsys-1.2.12/debian/patches/00list
@@ -26,0 +27 @@
+CVE-2007-3387.dpatch
diff -u cupsys-1.2.12/debian/changelog cupsys-1.2.12/debian/changelog
--- cupsys-1.2.12/debian/changelog
+++ cupsys-1.2.12/debian/changelog
@@ -1,3 +1,12 @@
+cupsys (1.2.12-1.1) unstable; urgency=high
+
+  * Non-maintainer upload
+  * Include upstream patch to fix integer overflow in the
+    StreamPredictor::StreamPredictor function
+    Fixes: CVE-2007-3387
+
+ -- Steffen Joeris <white at debian.org>  Sun, 05 Aug 2007 11:18:08 +0000
+
 cupsys (1.2.12-1) unstable; urgency=low

   * New upstream release
only in patch2:
unchanged:
--- cupsys-1.2.12.orig/debian/patches/CVE-2007-3387.dpatch
+++ cupsys-1.2.12/debian/patches/CVE-2007-3387.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-3387.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix integer overflow in Stream.cxx
+
+ at DPATCH@
+--- Stream.cxx.old     2007-08-05 11:15:08.000000000 +0000
++++ cupsys-1.2.12/pdftops/Stream.cxx   2007-08-05 11:14:44.000000000 +0000
+@@ -412,9 +412,9 @@
+
+   nVals = width * nComps;
+   if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+-      nComps >= INT_MAX / nBits ||
+-      width >= INT_MAX / nComps / nBits ||
+-      nVals * nBits + 7 < 0) {
++      nComps > gfxColorMaxComps || nBits > 16 ||
++      width >= INT_MAX / nComps ||
++      nVals >= (INT_MAX - 7) / nBits) {
+     return;
+   }
+   pixBytes = (nComps * nBits + 7) >> 3;

More information about the Pkg-cups-devel mailing list