rpms/cups/F-8 cups-CVE-2008-1722.patch, NONE, 1.1 cups.spec, 1.391, 1.392

Tim Waugh (twaugh) fedora-extras-commits at redhat.com
Fri May 9 10:41:38 UTC 2008 

Author: twaugh

Update of /cvs/pkgs/rpms/cups/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10887

Modified Files:
	cups.spec 
Added Files:
	cups-CVE-2008-1722.patch 
Log Message:
* Fri May  9 2008 Tim Waugh <twaugh at redhat.com> 1:1.3.7-2
- Applied patch to fix CVE-2008-1722 (integer overflow in image filter,
  bug #441692, STR #2790).


cups-CVE-2008-1722.patch:

--- NEW FILE cups-CVE-2008-1722.patch ---
diff -up cups-1.3.7/filter/image-png.c.CVE-2008-1722 cups-1.3.7/filter/image-png.c
--- cups-1.3.7/filter/image-png.c.CVE-2008-1722	2007-07-11 22:46:42.000000000 +0100
+++ cups-1.3.7/filter/image-png.c	2008-05-09 11:39:39.000000000 +0100
@@ -3,7 +3,7 @@
  *
  *   PNG image routines for the Common UNIX Printing System (CUPS).
  *
- *   Copyright 2007 by Apple Inc.
+ *   Copyright 2007-2008 by Apple Inc.
  *   Copyright 1993-2007 by Easy Software Products.
  *
  *   These coded instructions, statements, and computer programs are the
@@ -170,16 +170,56 @@ _cupsImageReadPNG(
     * Interlaced images must be loaded all at once...
     */
 
+    size_t bufsize;			/* Size of buffer */
+
+
     if (color_type == PNG_COLOR_TYPE_GRAY ||
 	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
-      in = malloc(img->xsize * img->ysize);
+    {
+      bufsize = img->xsize * img->ysize;
+
+      if ((bufsize / img->ysize) != img->xsize)
+      {
+	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+		(unsigned)img->xsize, (unsigned)img->ysize);
+	fclose(fp);
+	return (1);
+      }
+    }
     else
-      in = malloc(img->xsize * img->ysize * 3);
+    {
+      bufsize = img->xsize * img->ysize * 3;
+
+      if ((bufsize / (img->ysize * 3)) != img->xsize)
+      {
+	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+		(unsigned)img->xsize, (unsigned)img->ysize);
+	fclose(fp);
+	return (1);
+      }
+    }
+
+    in = malloc(bufsize);
   }
 
   bpp = cupsImageGetDepth(img);
   out = malloc(img->xsize * bpp);
 
+  if (!in || !out)
+  {
+    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
+
+    if (in)
+      free(in);
+
+    if (out)
+      free(out);
+
+    fclose(fp);
+
+    return (1);
+  }
+
  /*
   * Read the image, interlacing as needed...
   */


Index: cups.spec
===================================================================
RCS file: /cvs/pkgs/rpms/cups/F-8/cups.spec,v
retrieving revision 1.391
retrieving revision 1.392
diff -u -r1.391 -r1.392
--- cups.spec	2 May 2008 07:12:05 -0000	1.391
+++ cups.spec	9 May 2008 10:40:59 -0000	1.392
@@ -6,7 +6,7 @@
 Summary: Common Unix Printing System
 Name: cups
 Version: 1.3.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2
 Group: System Environment/Daemons
 Source: ftp://ftp.easysw.com/pub/cups/test//cups-%{version}-source.tar.bz2
@@ -47,6 +47,7 @@
 Patch22: cups-strict-ppd-line-length.patch
 Patch25: cups-usb-paperout.patch
 Patch29: cups-CVE-2008-1373.patch
+Patch30: cups-CVE-2008-1722.patch
 Patch100: cups-lspp.patch
 Epoch: 1
 Url: http://www.cups.org/
@@ -161,6 +162,7 @@
 %patch22 -p1 -b .strict-ppd-line-length
 %patch25 -p1 -b .usb-paperout
 %patch29 -p1 -b .CVE-2008-1373
+%patch30 -p1 -b .CVE-2008-1722
 
 %if %lspp
 %patch100 -p1 -b .lspp
@@ -453,6 +455,10 @@
 %{cups_serverbin}/daemon/cups-lpd
 
 %changelog
+* Fri May  9 2008 Tim Waugh <twaugh at redhat.com> 1:1.3.7-2
+- Applied patch to fix CVE-2008-1722 (integer overflow in image filter,
+  bug #441692, STR #2790).
+
 * Fri May  2 2008 Tim Waugh <twaugh at redhat.com>
 - Include the hostname in the charset error (part of bug #441719).

More information about the fedora-extras-commits mailing list