An integer overflow issue exists within the WriteProlog() function in the texttops CUPS image filter. When calculating the page size for storing PostScript data, values are derived from user content and are used in multiplication. If the operation overflows, a small destination buffer may be allocated, resulting in a heap-based buffer overflow. Acknowledgements: Red Hat would like to thank "regenrecht" for reporting this issue.
Created attachment 318028 [details] Patch from Apple
Public now via: http://cups.org/articles.php?L575 http://www.cups.org/str.php?L2919 Fixed upstream in: 1.3.9
cups-1.3.9-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.3.9-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0937.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8801 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8844
iDefense advisory: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=752 http://marc.info/?l=full-disclosure&m=122574839023267&w=4