Bug 441732 - cups: integer overflow in the sun image handler
cups: integer overflow in the sun image handler
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=vendor-sec,reported=20080409,p...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-09 14:21 EDT by Josh Bressers
Modified: 2016-03-04 06:23 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-22 02:42:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Demo image from the public mail (32 bytes, application/octet-stream)
2008-04-09 14:21 EDT, Josh Bressers
no flags Details

  None (edit)
Description Josh Bressers 2008-04-09 14:21:21 EDT
Thomas Pollet reported an integer overflow leading to a heap overflow in the
CUPS' sun image filter


There is more information here:
http://marc.info/?l=cups-bugs&m=120774808125153&w=2
Comment 1 Josh Bressers 2008-04-09 14:21:21 EDT
Created attachment 301869 [details]
Demo image from the public mail
Comment 2 Josh Bressers 2008-04-10 16:32:46 EDT
This looks to be just a NULL pointer dereference flaw.  It shouldn't have any
adverse affects on the CUPS server.
Comment 3 Tomas Hoger 2008-04-22 06:14:22 EDT
NULL deref flaw was fixed in SVN commit r7221 (trunk) / r7222 (branch-1.3) that
add check for calloc return value.

svn diff -c 7221 http://svn.easysw.com/public/cups/trunk/filter/image.c


Ludwig Nussel also pointed out that multiplication in calloc call can cause an
integer overflow.  Issue was reported as:

http://www.cups.org/str.php?L2805
http://www.cups.org/strfiles/2805/str2805.patch

(SVN commits r7472 (trunk) / r7485(branch-1.3))

According to upstream analysis, integer overflow is only possible on 32bit
platforms and as tile array is not filled with image data, it only results in a
filter crash, that is logged by CUPS scheduler.

Comment 5 Tomas Hoger 2008-05-22 02:42:51 EDT
Upstream confirmed that this issue can only cause a crash of image filter. 
Result is that malicious print job is not printed.  All other jobs are unaffected.

Closing this bug, as this is not a security issue.

Note You need to log in before you can comment on or make changes to this bug.