Bug 441732

Summary: cups: integer overflow in the sun image handler
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rbu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-22 06:42:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Demo image from the public mail none

Description Josh Bressers 2008-04-09 18:21:21 UTC 
Thomas Pollet reported an integer overflow leading to a heap overflow in the
CUPS' sun image filter


There is more information here:
http://marc.info/?l=cups-bugs&m=120774808125153&w=2
Comment 1 Josh Bressers 2008-04-09 18:21:21 UTC 
Created attachment 301869 [details]
Demo image from the public mail
Comment 2 Josh Bressers 2008-04-10 20:32:46 UTC 
This looks to be just a NULL pointer dereference flaw.  It shouldn't have any
adverse affects on the CUPS server.
Comment 3 Tomas Hoger 2008-04-22 10:14:22 UTC 
NULL deref flaw was fixed in SVN commit r7221 (trunk) / r7222 (branch-1.3) that
add check for calloc return value.

svn diff -c 7221 http://svn.easysw.com/public/cups/trunk/filter/image.c


Ludwig Nussel also pointed out that multiplication in calloc call can cause an
integer overflow.  Issue was reported as:

http://www.cups.org/str.php?L2805
http://www.cups.org/strfiles/2805/str2805.patch

(SVN commits r7472 (trunk) / r7485(branch-1.3))

According to upstream analysis, integer overflow is only possible on 32bit
platforms and as tile array is not filled with image data, it only results in a
filter crash, that is logged by CUPS scheduler.
Comment 5 Tomas Hoger 2008-05-22 06:42:51 UTC 
Upstream confirmed that this issue can only cause a crash of image filter. 
Result is that malicious print job is not printed.  All other jobs are unaffected.

Closing this bug, as this is not a security issue.