An integer overflow flaw, leading to a heap-based buffer overflow, was discovered in the Tagged Image File Format (TIFF) decoding routines used by the CUPS image-converting filters, "imagetops" and "imagetoraster". An attacker could create a malicious TIFF file that could, potentially, execute arbitrary code as the "lp" user if the file was printed. Acknowledgements: Red Hat would like to thank Aaron Sigel of the Apple Product Security team and iDefense for responsibly reporting this flaw.
CUPS STR for this issue: http://www.cups.org/str.php?L3031
Created attachment 335488 [details] CUPS imageReadTIFF patch
Embargo has been lifted.
Fixed upstream in 1.3.10: http://www.cups.org/articles.php?L582
cups-1.3.10-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/cups-1.3.10-1.fc9
cups-1.3.10-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/cups-1.3.10-1.fc10
cups-1.3.10-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.3.10-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:0428 https://rhn.redhat.com/errata/RHSA-2009-0428.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:0429 https://rhn.redhat.com/errata/RHSA-2009-0429.html
All children bugs have been closed, closing parent bug