A heap-based buffer overflow issue exists within the read_rle16() function of the imagetops CUPS image filter. The row count is not properly validated, and is used to control how many 16-bit integers are stored in a heap-based buffer. Acknowledgements: Red Hat would like to thank "regenrecht" for reporting this issue.
Created attachment 318027 [details] Patch from Apple
Public now via: http://cups.org/articles.php?L575 http://www.cups.org/str.php?L2918 Fixed upstream in: 1.3.9
cups-1.3.9-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.3.9-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0937.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8801 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8844
iDefense advisory: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=753 http://marc.info/?l=full-disclosure&m=122574815122872&w=4