oss-sec mailing list archives
Re: CVE Request: Cups: cupsRasterReadPixels buffer overflow
From: cve-assign () mitre org
Date: Thu, 12 Feb 2015 11:54:05 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://www.cups.org/str.php?L4551
A malformed compressed raster file can trigger a buffer overflow in cupsRasterReadPixels.
causes count (which is unsigned) to wrap around
I can confirm that that patch fixes the buffer overflow
Use CVE-2014-9679 for this integer overflow that was fixed in 2.0.2. The scope of this CVE does not include the "nothing that guarantees that r->bpp is non-zero" observation the "Feb 1, 2015" comment.
since compression isn't used between filters and since we use sandboxing whenever possible, it is unlikely that this will be exploitable
This isn't directly relevant to whether a CVE should exist, but http://cups.org/documentation.php/doc-2.0/man-cups-files.conf.html mentions 'Specifies the level of security sandboxing that is applied to print filters, backends, and other child processes of the scheduler. The default is "strict". This directive is currently only used/supported on OS X.' Apparently some online discussions of CUPS include third-party recommendations to disable sandboxing. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU3NpOAAoJEKllVAevmvms+zAH/RzYRlzOX/Mm66NVZE5Svr8j XDMba6Yls6khp4rhXsUtIyjwRt+sjag5v+QWiDBv1ZEGJwD72MalgUQwYHOy0AGj fmqu6kiRd2rFU/c95IHj4N5H3NXvsrspWbmo8/p7cBTl5i/zDRCK8rG15SoTEHu/ CUNR3KPeuVawwUzH4dFlWAQkTUP5DL20xPFcJb+kXr/vu7uwxedamjBH8twGVD6v /Pe8ktGAmfYEuj4tbcsj4kyU30U7wCzIAw5uZ2DvtuaP8uLyWeBqYAaWyz/754uC dFbGodPxsMmltshpDPHsRdMzjN5kc6fHAYJzW8r/sqsvR2xNlBV+u1J4Vw06EH4= =2glT -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Cups: cupsRasterReadPixels buffer overflow Kristian Fiskerstrand (Feb 10)
- Re: CVE Request: Cups: cupsRasterReadPixels buffer overflow cve-assign (Feb 12)