On Sun, Oct 25, 2009 at 10:04:34AM -0600, Jasper Lievisse Adriaanse wrote: > CVSROOT: /cvs > Module name: ports > Changes by: jas...@cvs.openbsd.org 2009/10/25 10:04:34 > > Modified files: > print/cups : Makefile > Added files: > print/cups/patches: patch-config-scripts_cups-pdf_m4 > patch-config_h_in patch-filter_pdftops_c > > Log message: > SECURITY FIX for CVE-2009-3608, CVE-2009-3609. > CUPS "pdftops" Filter Data Handling Integer Overflow Vulnerabilities > Patch from Ubuntu.
No, sorry, but IMHO this isn't more than just a workaround about a vulnarabilty in pdftops from xpdf which has already been fixed. Read http://www.vupen.com/english/advisories/2009/2926, look at the patch, look what it does, then extract the cups sources and search for the functions mentioned in the vupen advisory. That advisory is just wrong. There's no integer overflow in cups' pdftops filter program (libexec/cups/filter/pdftops), the overflow is in xpdfs bin/pdftops, and this has been fixed. Note, I'm not blaming anyone here but the guys who wrote the original advisory, and all the sites reproducing the message (about cups beeing vulnerable itself) without checking it. And I really wonder how much we can trust in such advisories and wether we can trust and take patches from other distributions. Ciao, Kili
