From bf68f1d784a0bfbb3610773d0212fef1af01962f Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Fri, 9 May 2008 10:29:47 +0000 Subject: [PATCH] - Applied patch to fix CVE-2008-1722 (integer overflow in image filter, bug #441692, STR #2790). --- cups-CVE-2008-1722.patch | 71 ++++++++++++++++++++++++++++++++++++++++ cups.spec | 8 ++++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 cups-CVE-2008-1722.patch diff --git a/cups-CVE-2008-1722.patch b/cups-CVE-2008-1722.patch new file mode 100644 index 0000000..b74e3b8 --- /dev/null +++ b/cups-CVE-2008-1722.patch @@ -0,0 +1,71 @@ +diff -up cups-1.3.7/filter/image-png.c.CVE-2008-1722 cups-1.3.7/filter/image-png.c +--- cups-1.3.7/filter/image-png.c.CVE-2008-1722 2007-07-11 22:46:42.000000000 +0100 ++++ cups-1.3.7/filter/image-png.c 2008-05-09 11:27:45.000000000 +0100 +@@ -3,7 +3,7 @@ + * + * PNG image routines for the Common UNIX Printing System (CUPS). + * +- * Copyright 2007 by Apple Inc. ++ * Copyright 2007-2008 by Apple Inc. + * Copyright 1993-2007 by Easy Software Products. + * + * These coded instructions, statements, and computer programs are the +@@ -170,16 +170,56 @@ _cupsImageReadPNG( + * Interlaced images must be loaded all at once... + */ + ++ size_t bufsize; /* Size of buffer */ ++ ++ + if (color_type == PNG_COLOR_TYPE_GRAY || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA) +- in = malloc(img->xsize * img->ysize); ++ { ++ bufsize = img->xsize * img->ysize; ++ ++ if ((bufsize / img->ysize) != img->xsize) ++ { ++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", ++ (unsigned)width, (unsigned)height); ++ fclose(fp); ++ return (1); ++ } ++ } + else +- in = malloc(img->xsize * img->ysize * 3); ++ { ++ bufsize = img->xsize * img->ysize * 3; ++ ++ if ((bufsize / (img->ysize * 3)) != img->xsize) ++ { ++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", ++ (unsigned)width, (unsigned)height); ++ fclose(fp); ++ return (1); ++ } ++ } ++ ++ in = malloc(bufsize); + } + + bpp = cupsImageGetDepth(img); + out = malloc(img->xsize * bpp); + ++ if (!in || !out) ++ { ++ fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr); ++ ++ if (in) ++ free(in); ++ ++ if (out) ++ free(out); ++ ++ fclose(fp); ++ ++ return (1); ++ } ++ + /* + * Read the image, interlacing as needed... + */ diff --git a/cups.spec b/cups.spec index 9b7bf4b..3779e64 100644 --- a/cups.spec +++ b/cups.spec @@ -7,7 +7,7 @@ Summary: Common Unix Printing System Name: cups Version: 1.3.7 -Release: 1%{?svn:.svn%{svn}}%{?dist} +Release: 2%{?svn:.svn%{svn}}%{?dist} License: GPLv2 Group: System Environment/Daemons Source: ftp://ftp.easysw.com/pub/cups/test//cups-%{version}%{?svn:svn-r%{svn}}-source.tar.bz2 @@ -47,6 +47,7 @@ Patch22: cups-strict-ppd-line-length.patch Patch23: cups-logrotate.patch Patch25: cups-usb-paperout.patch Patch29: cups-CVE-2008-1373.patch +Patch30: cups-CVE-2008-1722.patch Patch100: cups-lspp.patch Epoch: 1 Url: http://www.cups.org/ @@ -164,6 +165,7 @@ lpd emulation. %patch23 -p1 -b .logrotate %patch25 -p1 -b .usb-paperout %patch29 -p1 -b .CVE-2008-1373 +%patch30 -p1 -b .CVE-2008-1722 %if %lspp %patch100 -p1 -b .lspp @@ -440,6 +442,10 @@ rm -rf $RPM_BUILD_ROOT %{cups_serverbin}/daemon/cups-lpd %changelog +* Fri May 9 2008 Tim Waugh 1:1.3.7-2 +- Applied patch to fix CVE-2008-1722 (integer overflow in image filter, + bug #441692, STR #2790). + * Thu Apr 3 2008 Tim Waugh - Main package requires exactly-matching libs package.