Bug 167801

Summary: CAN-2005-2097, 3191-3193, 3624-3628 CUPS Denial of Service
Product: [Retired] Fedora Legacy Reporter: John Dalbec <jpdalbec>
Component: cupsAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: sheltren
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://rhn.redhat.com/errata/RHSA-2005-706.html
Whiteboard: LEGACY, rh73, rh90, 1, 2, 3, NEEDSWORK
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-30 19:57:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Dalbec 2005-09-08 12:37:16 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050729 Netscape/8.0.3.3

Description of problem:
05.32.14 CVE: CAN-2005-2097
Platform: Unix
Title: Easy Software Products CUPS Denial of Service
Description: CUPS is a set of printing utilities for UNIX-based
systems. It is vulnerable to a denial of service issue due to improper
bounds checking done by the application when handling malformed PDF
files. Easy Software Products CUPS versions 1.1.23 rc1 and earlier are
vulnerable.
Ref: http://rhn.redhat.com/errata/RHSA-2005-706.html 

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:
Comment 1 Jeff Sheltren 2005-09-27 14:28:21 UTC 
the redhat 7.3 package, cups-1.1.14-15.4.5.legacy.src.rpm, does not have the
same code as included in the patches for newer versions.  Does anybody know if
it is vulnerable or not?
Comment 2 Jeff Sheltren 2005-09-28 13:25:23 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created updated packages for RH9, FC1, and FC2. I'm still not sure
about RH7.3.

RH9 is using the patch directly from RHEL 3, FC1 and FC2 I had to
create on my own.  They are the same as the RHEL patch, except
the line numbers are different, and I added open/close brackets
around the if statement to stick with the coding style in that file.

Packages are here:
http://www.cs.ucsb.edu/~jeff/legacy/cups/

da1434ced8fa03b9177139a778ced2af8470be4a  cups-1.1.17-13.3.0.15.legacy.src.rpm
c1b3596fdbdfdfe0f0121c4df11f8895ab6d13d6  cups-1.1.19-13.10.legacy.src.rpm
8842c291c9fabfa352176cf4bf0387d40c2dec7d  cups-1.1.20-11.11.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDOpnvKe7MLJjUbNMRAmolAJ4mTcbZvERdX7bs2vmKMJym4xRFkQCcDcHc
MV5K1gvi8Y1KUSW9pxTiyJw=
=r6IF
-----END PGP SIGNATURE-----
Comment 3 Marc Deslauriers 2006-03-12 14:07:07 UTC 
We've got a few more issues to fix:
CVE-2005-3191, 3192, 3193, 3624, 3625, 3626, 3627, 3628.

https://rhn.redhat.com/errata/RHSA-2005-878.html
https://rhn.redhat.com/errata/RHSA-2006-0163.html
Comment 4 Jesse Keating 2007-08-30 19:57:09 UTC 
Fedora Legacy project has ended.  These will not be fixed by Fedora Legacy.