Mandriva Linux Security Advisory 2009-283 - cups suffers from denial of service, integer overflow, and buffer overflow vulnerabilities. This update corrects the problems.
6a986cbe02b428640424c30a7a68682178e6cab0da2aafa9fc12a51bfb358d7e
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:283
https://www.mandriva.com/security/
_______________________________________________________________________
Package : cups
Date : October 19, 2009
Affected: Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Multiple integer overflows in the JBIG2 decoder in
Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and
other products allow remote attackers to cause a denial
of service (crash) via a crafted PDF file, related to (1)
JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg,
and (3) JBIG2Stream::readGenericBitmap. (CVE-2009-0146, CVE-2009-0147)
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
earlier allows remote attackers to cause a denial of service (daemon
crash) and possibly execute arbitrary code via a crafted TIFF image,
which is not properly handled by the (1) _cupsImageReadTIFF function
in the imagetops filter and (2) imagetoraster filter, leading to a
heap-based buffer overflow. (CVE-2009-0163)
The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
and other products allows remote attackers to cause a denial of service
(crash) via a crafted PDF file that triggers a free of uninitialized
memory. (CVE-2009-0166)
Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9,
and probably other products, allows remote attackers to execute
arbitrary code via a PDF file with crafted JBIG2 symbol dictionary
segments (CVE-2009-0195).
Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
PDF file that triggers a heap-based buffer overflow, possibly
related to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c,
(4) JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE:
the JBIG2Stream.cxx vector may overlap CVE-2009-1179. (CVE-2009-0791)
The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
Poppler before 0.10.6, and other products allows remote attackers to
cause a denial of service (crash) via a crafted PDF file that triggers
an out-of-bounds read. (CVE-2009-0799)
Multiple input validation flaws in the JBIG2 decoder in Xpdf 3.02pl2
and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and
other products allow remote attackers to execute arbitrary code via
a crafted PDF file. (CVE-2009-0800)
The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10
does not properly initialize memory for IPP request packets, which
allows remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via a scheduler request with two
consecutive IPP_TAG_UNSUPPORTED tags. (CVE-2009-0949)
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products
allows remote attackers to execute arbitrary code via a crafted PDF
file. (CVE-2009-1179)
The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
Poppler before 0.10.6, and other products allows remote attackers to
execute arbitrary code via a crafted PDF file that triggers a free
of invalid data. (CVE-2009-1180)
The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
Poppler before 0.10.6, and other products allows remote attackers to
cause a denial of service (crash) via a crafted PDF file that triggers
a NULL pointer dereference. (CVE-2009-1181)
Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2
and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and
other products allow remote attackers to execute arbitrary code via
a crafted PDF file. (CVE-2009-1182)
The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and
earlier, Poppler before 0.10.6, and other products allows remote
attackers to cause a denial of service (infinite loop and hang)
via a crafted PDF file. (CVE-2009-1183)
The directory-services functionality in the scheduler in CUPS 1.1.17
and 1.1.22 allows remote attackers to cause a denial of service (cupsd
daemon outage or crash) via manipulations of the timing of CUPS browse
packets, related to a pointer use-after-delete flaw. (CVE-2009-1196)
Two integer overflow flaws were found in the CUPS pdftops filter. An
attacker could create a malicious PDF file that would cause pdftops
to crash or, potentially, execute arbitrary code as the lp user if
the file was printed. (CVE-2009-3608, CVE-2009-3609)
This update corrects the problems.
_______________________________________________________________________
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
_______________________________________________________________________
Updated Packages:
Corporate 3.0:
86301a5d5c962256a88d4e15faba9bbf corporate/3.0/i586/cups-1.1.20-5.21.C30mdk.i586.rpm
378811817692045b489880711aa46c85 corporate/3.0/i586/cups-common-1.1.20-5.21.C30mdk.i586.rpm
b0b493387f5b0a67eb1bfa7b2cda1152 corporate/3.0/i586/cups-serial-1.1.20-5.21.C30mdk.i586.rpm
7236d2f3677e5f6e2ea740e291e145d5 corporate/3.0/i586/libcups2-1.1.20-5.21.C30mdk.i586.rpm
b6959ae680668c17cb2dc84077bfb1a8 corporate/3.0/i586/libcups2-devel-1.1.20-5.21.C30mdk.i586.rpm
902b2ecfff8325312ad095425ec6b31b corporate/3.0/SRPMS/cups-1.1.20-5.21.C30mdk.src.rpm
Corporate 3.0/X86_64:
633954b881b4a13641c71f5d8937d70e corporate/3.0/x86_64/cups-1.1.20-5.21.C30mdk.x86_64.rpm
b1f94eafb660f6df4f1a7bf5a59f48b7 corporate/3.0/x86_64/cups-common-1.1.20-5.21.C30mdk.x86_64.rpm
6962c849474e00d4381f68ce0d700baa corporate/3.0/x86_64/cups-serial-1.1.20-5.21.C30mdk.x86_64.rpm
775f8c2232eb751dae3fbd5aa347c31b corporate/3.0/x86_64/lib64cups2-1.1.20-5.21.C30mdk.x86_64.rpm
ec752b939267cf785a76161388d63b89 corporate/3.0/x86_64/lib64cups2-devel-1.1.20-5.21.C30mdk.x86_64.rpm
902b2ecfff8325312ad095425ec6b31b corporate/3.0/SRPMS/cups-1.1.20-5.21.C30mdk.src.rpm
Multi Network Firewall 2.0:
c998b8245740f55a475014ab84aa72c6 mnf/2.0/i586/cups-1.1.20-5.21.M20mdk.i586.rpm
caff03b6b69c0dc6dcf5b0e56bc583c3 mnf/2.0/i586/cups-common-1.1.20-5.21.M20mdk.i586.rpm
f4f7b5894f97f371dcaa84347170642c mnf/2.0/i586/cups-serial-1.1.20-5.21.M20mdk.i586.rpm
ae0eb99fdc9ce79efff159a5dcd3d64e mnf/2.0/i586/libcups2-1.1.20-5.21.M20mdk.i586.rpm
8e701f7caa03cd8d1bb42566965506e6 mnf/2.0/i586/libcups2-devel-1.1.20-5.21.M20mdk.i586.rpm
10e3ff36714b79b806b62137b3d7d246 mnf/2.0/SRPMS/cups-1.1.20-5.21.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
https://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFK3OH6mqjQ0CJFipgRAsUOAKDHMqs7e509FxXN+hRs3MuoXG+hbACgxBLI
92SOL+8x2GTGblZj+/qsM7o=
=ZAtW
-----END PGP SIGNATURE-----