reopen 535488 reopen 535489 thanks On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:
> Hello Michael, > > Michael S. Gilbert [2009-07-02 12:35 -0400]: > > Hi, > > the following CVE (Common Vulnerabilities & Exposures) id was > > published for cups. > > > > CVE-2009-0791[0]: > > | Multiple integer overflows in the pdftops filter in CUPS 1.1.17, > > | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service > > | (application crash) or possibly execute arbitrary code via a crafted > > | PDF file that triggers a heap-based buffer overflow, possibly related > > | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4) > > | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the > > | JBIG2Stream.cxx vector may overlap CVE-2009-1179. > > This vulnerability does not affect cups. Because xpdf vulnerabilities > are so common, the Debian cups package has used the external > xpdf-utils or poppler-utils since at least woody. are you sure about this? i've checked the etch cupsys and lenny cups packages and found that the pdftops source is indeed present (and the patches for this are not applied). the only way i see this as not affected is if these packages do not build the pdftops code. i am not that familiar with the package, so i did not check whether this is the case. i've checked the unstable cups package and the pdftops code is in fact removed there. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org