Your message dated Sun, 5 Aug 2007 19:07:47 +0200 with message-id <[EMAIL PROTECTED]> and subject line [Pkg-cups-devel] Bug#436099: CVE-2007-3387: Integer overflow in cupsys has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: cupsys Version: 1.2.12-1 Severity: grave Tags: security, patch Justification: user security hole Hi A vulnerability has been found in libpoppler and related packages. From CVE-2007-3387: "Integer overflow in the StreamPredictor::StreamPredictor function in gpdf before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4) kdegraphics, (5) CUPS, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file." Please mention the CVE id in the changelog. A patch to fix this issue is attached below. If you do not have the time, please give me permission to upload an NMU. Thanks for your efforts Cheers Steffen diff -u cupsys-1.2.12/debian/patches/00list cupsys-1.2.12/debian/patches/00list --- cupsys-1.2.12/debian/patches/00list +++ cupsys-1.2.12/debian/patches/00list @@ -26,0 +27 @@ +CVE-2007-3387.dpatch diff -u cupsys-1.2.12/debian/changelog cupsys-1.2.12/debian/changelog --- cupsys-1.2.12/debian/changelog +++ cupsys-1.2.12/debian/changelog @@ -1,3 +1,12 @@ +cupsys (1.2.12-1.1) unstable; urgency=high + + * Non-maintainer upload + * Include upstream patch to fix integer overflow in the + StreamPredictor::StreamPredictor function + Fixes: CVE-2007-3387 + + -- Steffen Joeris <[EMAIL PROTECTED]> Sun, 05 Aug 2007 11:18:08 +0000 + cupsys (1.2.12-1) unstable; urgency=low * New upstream release only in patch2: unchanged: --- cupsys-1.2.12.orig/debian/patches/CVE-2007-3387.dpatch +++ cupsys-1.2.12/debian/patches/CVE-2007-3387.dpatch @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2007-3387.dpatch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix integer overflow in Stream.cxx + [EMAIL PROTECTED]@ +--- Stream.cxx.old 2007-08-05 11:15:08.000000000 +0000 ++++ cupsys-1.2.12/pdftops/Stream.cxx 2007-08-05 11:14:44.000000000 +0000 +@@ -412,9 +412,9 @@ + + nVals = width * nComps; + if (width <= 0 || nComps <= 0 || nBits <= 0 || +- nComps >= INT_MAX / nBits || +- width >= INT_MAX / nComps / nBits || +- nVals * nBits + 7 < 0) { ++ nComps > gfxColorMaxComps || nBits > 16 || ++ width >= INT_MAX / nComps || ++ nVals >= (INT_MAX - 7) / nBits) { + return; + } + pixBytes = (nComps * nBits + 7) >> 3;
--- End Message ---
--- Begin Message ---Hi Steffen, Steffen Joeris [2007-08-05 22:06 +1000]: > A vulnerability has been found in libpoppler and related > packages. From CVE-2007-3387: > > "Integer overflow in the StreamPredictor::StreamPredictor function in > gpdf before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4) > kdegraphics, (5) CUPS, and other products, might allow remote > attackers to execute arbitrary code via a crafted PDF file." Thanks, this was already on my radar, but Debian's cupsys is not affected by this. We have used the external xpdf-utils in Sarge and poppler-utils since Etch, specifically to avoid using the duplicated xpdf code in cups. Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.orgsignature.asc
Description: Digital signature
--- End Message ---