MDVSA-2009:281

Package name
cups
Date
2009-10-19
Advisory ID
MDVSA-2009:281
Affected versions
CS4.0 x86_64 , CS4.0 i586

Problem description

Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2
and earlier, CUPS 1.3.9 and earlier, and other products allow
remote attackers to cause a denial of service (crash) via a
crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2)
JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap
(CVE-2009-0146, CVE-2009-0147).

Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
earlier allows remote attackers to cause a denial of service (daemon
crash) and possibly execute arbitrary code via a crafted TIFF image,
which is not properly handled by the (1) _cupsImageReadTIFF function
in the imagetops filter and (2) imagetoraster filter, leading to a
heap-based buffer overflow (CVE-2009-0163).

Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
as used in Poppler and other products, when running on Mac OS X,
has unspecified impact, related to g*allocn (CVE-2009-0165).

The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
and other products allows remote attackers to cause a denial of service
(crash) via a crafted PDF file that triggers a free of uninitialized
memory (CVE-2009-0166).

Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
PDF file that triggers a heap-based buffer overflow, possibly
related to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c,
(4) JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE:
the JBIG2Stream.cxx vector may overlap CVE-2009-1179 (CVE-2009-0791).

The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10
does not properly initialize memory for IPP request packets, which
allows remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via a scheduler request with two
consecutive IPP_TAG_UNSUPPORTED tags (CVE-2009-0949).

Two integer overflow flaws were found in the CUPS pdftops filter. An
attacker could create a malicious PDF file that would cause pdftops
to crash or, potentially, execute arbitrary code as the lp user if
the file was printed. (CVE-2009-3608, CVE-2009-3609)

This update corrects the problems.

Updated packages

CS4.0 x86_64

 4b5dfea8300468703dd931cd8c9d319c  corporate/4.0/x86_64/cups-1.2.4-0.12.20060mlcs4.x86_64.rpm
 d5842ffe89db6334069202dfe59a60a4  corporate/4.0/x86_64/cups-common-1.2.4-0.12.20060mlcs4.x86_64.rpm
 03addb21b7f80f74b76bf5de1ad9f553  corporate/4.0/x86_64/cups-serial-1.2.4-0.12.20060mlcs4.x86_64.rpm
 e61669b6a72afaaf980f2d0e2186f716  corporate/4.0/x86_64/lib64cups2-1.2.4-0.12.20060mlcs4.x86_64.rpm
 b827d727711d51f60a3fdf7252e5021e  corporate/4.0/x86_64/lib64cups2-devel-1.2.4-0.12.20060mlcs4.x86_64.rpm
 932e3d535caefa568055d80517461bc1  corporate/4.0/x86_64/php-cups-1.2.4-0.12.20060mlcs4.x86_64.rpm 
 4188bab8bdcf0b31285cf8718910be96  corporate/4.0/SRPMS/cups-1.2.4-0.12.20060mlcs4.src.rpm

CS4.0 i586

 57fb29098baca176b04941fdf7d5c550  corporate/4.0/i586/cups-1.2.4-0.12.20060mlcs4.i586.rpm
 37087bf2fd62f470c776634f75e91689  corporate/4.0/i586/cups-common-1.2.4-0.12.20060mlcs4.i586.rpm
 6fd53fc460336a672ddf073d0854bd38  corporate/4.0/i586/cups-serial-1.2.4-0.12.20060mlcs4.i586.rpm
 bdecceaf7594a24fa8fff83cb647a49b  corporate/4.0/i586/libcups2-1.2.4-0.12.20060mlcs4.i586.rpm
 a368140c97ada3e036fab372ada3c061  corporate/4.0/i586/libcups2-devel-1.2.4-0.12.20060mlcs4.i586.rpm
 7a42fb1da9f89b51a3fb2d046163365a  corporate/4.0/i586/php-cups-1.2.4-0.12.20060mlcs4.i586.rpm 
 4188bab8bdcf0b31285cf8718910be96  corporate/4.0/SRPMS/cups-1.2.4-0.12.20060mlcs4.src.rpm

References