Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Nov 2008 00:21:34 +0300 (MSK)
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        freebsd-vuxml@freebsd.org
Subject:   ports/129193: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader
Message-ID:  <20081125212134.7A533F181D@phoenix.codelabs.ru>
Resent-Message-ID: <200811252130.mAPLU2hv022172@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         129193
>Category:       ports
>Synopsis:       [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 25 21:30:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE i386
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE i386

>Description:

Release notes for CUPS 1.3.10 say that there were potential buffer
overflow in the PNG reader code:
  http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt

The corresponding entry in the CUPS bug tracker is at
  http://www.cups.org/str.php?L2974

>How-To-Repeat:

Look at the above URLs.

>Fix:

The following patch updates the port itself.  I had used PORTREVISION
of 2, but the patch was made against the clean 1.3.9 tree.  If it will
be applied simultaneously with the patch in ports/129001, then the
PORTVERSION can be set to 1.  In this case the below VuXML entry
should be changed to reflect this.

--- 1.3.9-fix-potential-PNG-buffer-overflow.diff begins here ---
>From 95c304d2b3ce819ea68f493f6dcc2fed76ac2029 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Wed, 26 Nov 2008 00:11:53 +0300

See: http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt
See: http://www.openwall.com/lists/oss-security/2008/11/25/2

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 print/cups-base/Makefile            |    1 +
 print/cups-base/files/patch-str2974 |   27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 0 deletions(-)
 create mode 100644 print/cups-base/files/patch-str2974

diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile
index 87e5ee3..aad7c52 100644
--- a/print/cups-base/Makefile
+++ b/print/cups-base/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	cups
 PORTVERSION=	1.3.9
+PORTREVISION=	2
 DISTVERSIONSUFFIX=	-source
 CATEGORIES=	print
 MASTER_SITES=	EASYSW/${PORTNAME}/${DISTVERSION}
diff --git a/print/cups-base/files/patch-str2974 b/print/cups-base/files/patch-str2974
new file mode 100644
index 0000000..f407d55
--- /dev/null
+++ b/print/cups-base/files/patch-str2974
@@ -0,0 +1,27 @@
+Fix for the buffer overflow in the PNG reading code
+
+See: http://www.cups.org/str.php?L2974
+Obtained from: http://www.cups.org/strfiles/2974/str2974.patch
+
+Index: filter/image-png.c
+===================================================================
+--- filter/image-png.c	(revision 8062)
++++ filter/image-png.c	(working copy)
+@@ -178,7 +178,7 @@
+     {
+       bufsize = img->xsize * img->ysize;
+ 
+-      if ((bufsize / img->ysize) != img->xsize)
++      if ((bufsize / img->xsize) != img->ysize)
+       {
+ 	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+ 		(unsigned)width, (unsigned)height);
+@@ -190,7 +190,7 @@
+     {
+       bufsize = img->xsize * img->ysize * 3;
+ 
+-      if ((bufsize / (img->ysize * 3)) != img->xsize)
++      if ((bufsize / (img->xsize * 3)) != img->ysize)
+       {
+ 	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+ 		(unsigned)width, (unsigned)height);
-- 
1.6.0.4
--- 1.3.9-fix-potential-PNG-buffer-overflow.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="unknown">
    <topic>cups -- potential buffer overflow in PNG reading code</topic>
    <affects>
      <package>
	<name>cups-base</name>
	<range><lt>1.3.9_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
	<p>ChangeLog for CUPS 1.3.10 says:</p>
	<blockquote cite="http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt">;

	  <p>SECURITY: The PNG image reading code did not validate
	  the image size properly, leading to a potential buffer
	  overflow (STR #2974)</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt</url>;
      <mlist>http://www.openwall.com/lists/oss-security/2008/11/25/2</mlist>;
    </references>
    <dates>
      <discovery>2008-11-25</discovery>
      <entry>today</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081125212134.7A533F181D>