MDKSA-2006:010

Package name
cups
Date
2006-01-10
Advisory ID
MDKSA-2006:010
Affected versions
2006.0 i586 , CS2.1 i586 , 10.2 i586 , 10.1 i586 , CS2.1 x86_64 , CS3.0 x86_64 , CS3.0 i586 , 10.2 x86_64 , 2006.0 x86_64 , 10.1 x86_64

Problem description

Multiple heap-based buffer overflows in the
DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions
in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier,
allow user-complicit attackers to cause a denial of service (heap
corruption) and possibly execute arbitrary code via a crafted PDF file
with an out-of-range number of components (numComps), which is used as
an array index. (CVE-2005-3191)

Heap-based buffer overflow in the StreamPredictor function in Xpdf 3.01
allows remote attackers to execute arbitrary code via a PDF file with
an out-of-range numComps (number of components) field. (CVE-2005-3192)

Heap-based buffer overflow in the JPXStream::readCodestream function
in the JPX stream parsing code (JPXStream.c) for xpdf 3.01 and earlier
allows user-complicit attackers to cause a denial of service (heap
corruption) and possibly execute arbitrary code via a crafted PDF file
with large size values that cause insufficient memory to be allocated.
(CVE-2005-3193)

An additional patch re-addresses memory allocation routines in
goo/gmem.c (Martin Pitt/Canonical, Dirk Mueller/KDE).

In addition, Chris Evans discovered several other vulnerbilities in
the xpdf code base:

Out-of-bounds heap accesses with large or negative parameters to
"FlateDecode" stream. (CVE-2005-3192)

Out-of-bounds heap accesses with large or negative parameters to
"CCITTFaxDecode" stream. (CVE-2005-3624)

Infinite CPU spins in various places when stream ends unexpectedly.
(CVE-2005-3625)

NULL pointer crash in the "FlateDecode" stream. (CVE-2005-3626)

Overflows of compInfo array in "DCTDecode" stream. (CVE-2005-3627)

Possible to use index past end of array in "DCTDecode" stream.
(CVE-2005-3627)

Possible out-of-bounds indexing trouble in "DCTDecode" stream.
(CVE-2005-3627)

CUPS uses an embedded copy of the xpdf code, with the same
vulnerabilities.

The updated packages have been patched to correct these problems.

Updated packages

2006.0 i586

 7fa2fe8c6e545eb18fd69f037688d701  2006.0/RPMS/cups-1.1.23-17.1.20060mdk.i586.rpm
 045c02e7fe8e5c5a7c19710170892847  2006.0/RPMS/cups-common-1.1.23-17.1.20060mdk.i586.rpm
 d0246199b3ca4cb26e91490fd85994f4  2006.0/RPMS/cups-serial-1.1.23-17.1.20060mdk.i586.rpm
 f8b9623d2d7a925196c3496c6f8c491d  2006.0/RPMS/libcups2-1.1.23-17.1.20060mdk.i586.rpm
 dca5e3b78ef5941f8f6880197e7c02c0  2006.0/RPMS/libcups2-devel-1.1.23-17.1.20060mdk.i586.rpm
 f54c5483e511e5f94706d25d04b9bed7  2006.0/SRPMS/cups-1.1.23-17.1.20060mdk.src.rpm

CS2.1 i586

 3a4a7fadc8472a8b9df603d06173a12b  corporate/2.1/RPMS/cups-1.1.18-2.12.C21mdk.i586.rpm
 8142c0e40cac5993bf87b20867403225  corporate/2.1/RPMS/cups-common-1.1.18-2.12.C21mdk.i586.rpm
 a4246d3a163aad65368ad436ee271d3d  corporate/2.1/RPMS/cups-serial-1.1.18-2.12.C21mdk.i586.rpm
 61e710d2dbd5c3b24980a3aee8027609  corporate/2.1/RPMS/libcups1-1.1.18-2.12.C21mdk.i586.rpm
 26b64c12e3b8b48e214fd7070f547879  corporate/2.1/RPMS/libcups1-devel-1.1.18-2.12.C21mdk.i586.rpm
 06625c0147c5e2aaebd3575ed0133e6b  corporate/2.1/SRPMS/cups-1.1.18-2.12.C21mdk.src.rpm

10.2 i586

 5765c4454d6295a4a7cfc6eeeca70c77  10.2/RPMS/cups-1.1.23-11.2.102mdk.i586.rpm
 d18d807072f5cc3d1c4ef98a2cf911ab  10.2/RPMS/cups-common-1.1.23-11.2.102mdk.i586.rpm
 ef4f68b6a7b2201abd2bb3c70fe296be  10.2/RPMS/cups-serial-1.1.23-11.2.102mdk.i586.rpm
 29ae7290946944562087a0191142e9cc  10.2/RPMS/libcups2-1.1.23-11.2.102mdk.i586.rpm
 a853346dc6688da93a3231d12c1728f6  10.2/RPMS/libcups2-devel-1.1.23-11.2.102mdk.i586.rpm
 5862692ff8114c7f78a808e946c371e6  10.2/SRPMS/cups-1.1.23-11.2.102mdk.src.rpm

10.1 i586

 b5c52be00b23507bcd130c9e7d1ddd50  10.1/RPMS/cups-1.1.21-0.rc1.7.8.101mdk.i586.rpm
 3c98e0ba4a584ca32a2a25eb20b33a39  10.1/RPMS/cups-common-1.1.21-0.rc1.7.8.101mdk.i586.rpm
 1fe768077621d37fa855f51baeecd414  10.1/RPMS/cups-serial-1.1.21-0.rc1.7.8.101mdk.i586.rpm
 4d8cc497b444ef413726f305af275a6a  10.1/RPMS/libcups2-1.1.21-0.rc1.7.8.101mdk.i586.rpm
 a4d621ee0eccb8f95791b991fac95768  10.1/RPMS/libcups2-devel-1.1.21-0.rc1.7.8.101mdk.i586.rpm
 7e0e073cfdd7c43d255aa80ed37c28d1  10.1/SRPMS/cups-1.1.21-0.rc1.7.8.101mdk.src.rpm

CS2.1 x86_64

 fd0907a5db87cc55f999f05183866f4e  x86_64/corporate/2.1/RPMS/cups-1.1.18-2.12.C21mdk.x86_64.rpm
 7fb05a22ddee7df584552964b3c29d77  x86_64/corporate/2.1/RPMS/cups-common-1.1.18-2.12.C21mdk.x86_64.rpm
 bf0863a6b7616e34678b6866e2c4d6df  x86_64/corporate/2.1/RPMS/cups-serial-1.1.18-2.12.C21mdk.x86_64.rpm
 d3925af3dc401c15a7d5a5da02b7469b  x86_64/corporate/2.1/RPMS/libcups1-1.1.18-2.12.C21mdk.x86_64.rpm
 fdc4cdf8756b835b28b6e6d6945914e4  x86_64/corporate/2.1/RPMS/libcups1-devel-1.1.18-2.12.C21mdk.x86_64.rpm
 06625c0147c5e2aaebd3575ed0133e6b  x86_64/corporate/2.1/SRPMS/cups-1.1.18-2.12.C21mdk.src.rpm

CS3.0 x86_64

 fe95777cc7bdfd4b41daf4f9a19186c9  x86_64/corporate/3.0/RPMS/cups-1.1.20-5.10.C30mdk.x86_64.rpm
 5e56191f8f14638ab5304ac94df6bb7a  x86_64/corporate/3.0/RPMS/cups-common-1.1.20-5.10.C30mdk.x86_64.rpm
 20f1396cf173d3b58d2a1dc4068770d4  x86_64/corporate/3.0/RPMS/cups-serial-1.1.20-5.10.C30mdk.x86_64.rpm
 6da98153e198cd3b2456280feae5bdba  x86_64/corporate/3.0/RPMS/lib64cups2-1.1.20-5.10.C30mdk.x86_64.rpm
 83d2c68c0180d8ba395bc9c0cb8b1338  x86_64/corporate/3.0/RPMS/lib64cups2-devel-1.1.20-5.10.C30mdk.x86_64.rpm
 9540dbf56f41e2f77d573ca2798cf306  x86_64/corporate/3.0/SRPMS/cups-1.1.20-5.10.C30mdk.src.rpm

CS3.0 i586

 18480c0d569725ed5f5542a6e118e01a  corporate/3.0/RPMS/cups-1.1.20-5.10.C30mdk.i586.rpm
 41eed97b13410174f82c85e43b2b9c9f  corporate/3.0/RPMS/cups-common-1.1.20-5.10.C30mdk.i586.rpm
 c371b67e6315faae8afcd686a5f1affb  corporate/3.0/RPMS/cups-serial-1.1.20-5.10.C30mdk.i586.rpm
 43f1a46effe9a488642fbe7ba7932477  corporate/3.0/RPMS/libcups2-1.1.20-5.10.C30mdk.i586.rpm
 da7a75b3e56a8ad8812bd88e078c4567  corporate/3.0/RPMS/libcups2-devel-1.1.20-5.10.C30mdk.i586.rpm
 9540dbf56f41e2f77d573ca2798cf306  corporate/3.0/SRPMS/cups-1.1.20-5.10.C30mdk.src.rpm

10.2 x86_64

 9d2e1052c4aeb7f6aad3e0d3c60f85d8  x86_64/10.2/RPMS/cups-1.1.23-11.2.102mdk.x86_64.rpm
 8dfe2e759e0749cf7b7acdf077fab2e8  x86_64/10.2/RPMS/cups-common-1.1.23-11.2.102mdk.x86_64.rpm
 0ae798ff3cad9bf639db492d3717ff99  x86_64/10.2/RPMS/cups-serial-1.1.23-11.2.102mdk.x86_64.rpm
 b85e0f3831dae734217d76930813909b  x86_64/10.2/RPMS/lib64cups2-1.1.23-11.2.102mdk.x86_64.rpm
 38f5140a72acf7689b599bef9f923000  x86_64/10.2/RPMS/lib64cups2-devel-1.1.23-11.2.102mdk.x86_64.rpm
 5862692ff8114c7f78a808e946c371e6  x86_64/10.2/SRPMS/cups-1.1.23-11.2.102mdk.src.rpm

2006.0 x86_64

 2f3de58ff175a564fe4949538632af96  x86_64/2006.0/RPMS/cups-1.1.23-17.1.20060mdk.x86_64.rpm
 f411ec48c957768194cde193e5693a9e  x86_64/2006.0/RPMS/cups-common-1.1.23-17.1.20060mdk.x86_64.rpm
 4ca9fcdc1d9c90c0d00cb5ba4c80ad06  x86_64/2006.0/RPMS/cups-serial-1.1.23-17.1.20060mdk.x86_64.rpm
 c869457a90e4113d284730074dfa8b4e  x86_64/2006.0/RPMS/lib64cups2-1.1.23-17.1.20060mdk.x86_64.rpm
 98f854ccb1cff62ac98c70213d9da0f8  x86_64/2006.0/RPMS/lib64cups2-devel-1.1.23-17.1.20060mdk.x86_64.rpm
 f54c5483e511e5f94706d25d04b9bed7  x86_64/2006.0/SRPMS/cups-1.1.23-17.1.20060mdk.src.rpm

10.1 x86_64

 c782703a80182ba0f194a3fe59e29671  x86_64/10.1/RPMS/cups-1.1.21-0.rc1.7.8.101mdk.x86_64.rpm
 77ddacf0c0a0e327190ff86c797a7eb3  x86_64/10.1/RPMS/cups-common-1.1.21-0.rc1.7.8.101mdk.x86_64.rpm
 88f6f078e7bdf537359b12df1b116875  x86_64/10.1/RPMS/cups-serial-1.1.21-0.rc1.7.8.101mdk.x86_64.rpm
 bba6774180d2f868f962f8ea8b6e0e51  x86_64/10.1/RPMS/lib64cups2-1.1.21-0.rc1.7.8.101mdk.x86_64.rpm
 9cc3515dc6a6655e89a492a3664cea67  x86_64/10.1/RPMS/lib64cups2-devel-1.1.21-0.rc1.7.8.101mdk.x86_64.rpm
 7e0e073cfdd7c43d255aa80ed37c28d1  x86_64/10.1/SRPMS/cups-1.1.21-0.rc1.7.8.101mdk.src.rpm

References