Thomas Pollet reported an integer overflow leading to a heap overflow in the CUPS' sun image filter There is more information here: http://marc.info/?l=cups-bugs&m=120774808125153&w=2
Created attachment 301869 [details] Demo image from the public mail
This looks to be just a NULL pointer dereference flaw. It shouldn't have any adverse affects on the CUPS server.
NULL deref flaw was fixed in SVN commit r7221 (trunk) / r7222 (branch-1.3) that add check for calloc return value. svn diff -c 7221 http://svn.easysw.com/public/cups/trunk/filter/image.c Ludwig Nussel also pointed out that multiplication in calloc call can cause an integer overflow. Issue was reported as: http://www.cups.org/str.php?L2805 http://www.cups.org/strfiles/2805/str2805.patch (SVN commits r7472 (trunk) / r7485(branch-1.3)) According to upstream analysis, integer overflow is only possible on 32bit platforms and as tile array is not filled with image data, it only results in a filter crash, that is logged by CUPS scheduler.
Upstream confirmed that this issue can only cause a crash of image filter. Result is that malicious print job is not printed. All other jobs are unaffected. Closing this bug, as this is not a security issue.