An unchecked index issue exists within the PW_pen_width() and PC_pen_color() functions in the hpgltops CUPS image filter. Buffer bounds are not properly validated when handling the pen width and pen color opcodes, potentially resulting in arbitrary memory being overwritten with controlled data. Acknowledgements: Red Hat would like to thank "regenrecht" for reporting this issue.
Created attachment 318029 [details] Patch from Apple
Public now via: http://cups.org/articles.php?L575 http://www.cups.org/str.php?L2911 Fixed upstream in: 1.3.9
The fix for this issue was reported to introduce regression in the HP-GL/2 file format handling: http://www.cups.org/str.php?L2966 According to upstream, "It shouldn't break "valid" HP-GL/2 files that specify pen numbers."
cups-1.3.9-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.3.9-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0937.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8801 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8844