[Pkg-cups-devel] Bug#436099: CVE-2007-3387: Integer overflow in cupsys
Steffen Joeris
steffen.joeris at skolelinux.de
Sun Aug 5 12:06:22 UTC 2007
Package: cupsys
Version: 1.2.12-1
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
A vulnerability has been found in libpoppler and related
packages. From CVE-2007-3387:
"Integer overflow in the StreamPredictor::StreamPredictor function in
gpdf before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4)
kdegraphics, (5) CUPS, and other products, might allow remote
attackers to execute arbitrary code via a crafted PDF file."
Please mention the CVE id in the changelog.
A patch to fix this issue is attached below.
If you do not have the time, please give me permission to upload an
NMU.
Thanks for your efforts
Cheers
Steffen
diff -u cupsys-1.2.12/debian/patches/00list cupsys-1.2.12/debian/patches/00list
--- cupsys-1.2.12/debian/patches/00list
+++ cupsys-1.2.12/debian/patches/00list
@@ -26,0 +27 @@
+CVE-2007-3387.dpatch
diff -u cupsys-1.2.12/debian/changelog cupsys-1.2.12/debian/changelog
--- cupsys-1.2.12/debian/changelog
+++ cupsys-1.2.12/debian/changelog
@@ -1,3 +1,12 @@
+cupsys (1.2.12-1.1) unstable; urgency=high
+
+ * Non-maintainer upload
+ * Include upstream patch to fix integer overflow in the
+ StreamPredictor::StreamPredictor function
+ Fixes: CVE-2007-3387
+
+ -- Steffen Joeris <white at debian.org> Sun, 05 Aug 2007 11:18:08 +0000
+
cupsys (1.2.12-1) unstable; urgency=low
* New upstream release
only in patch2:
unchanged:
--- cupsys-1.2.12.orig/debian/patches/CVE-2007-3387.dpatch
+++ cupsys-1.2.12/debian/patches/CVE-2007-3387.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-3387.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix integer overflow in Stream.cxx
+
+ at DPATCH@
+--- Stream.cxx.old 2007-08-05 11:15:08.000000000 +0000
++++ cupsys-1.2.12/pdftops/Stream.cxx 2007-08-05 11:14:44.000000000 +0000
+@@ -412,9 +412,9 @@
+
+ nVals = width * nComps;
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+- nComps >= INT_MAX / nBits ||
+- width >= INT_MAX / nComps / nBits ||
+- nVals * nBits + 7 < 0) {
++ nComps > gfxColorMaxComps || nBits > 16 ||
++ width >= INT_MAX / nComps ||
++ nVals >= (INT_MAX - 7) / nBits) {
+ return;
+ }
+ pixBytes = (nComps * nBits + 7) >> 3;
More information about the Pkg-cups-devel
mailing list