From owner-freebsd-vuxml@FreeBSD.ORG Tue Nov 25 21:21:36 2008 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 531B21065673; Tue, 25 Nov 2008 21:21:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 0C4C98FC13; Tue, 25 Nov 2008 21:21:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:To:Subject:From:Reply-To:Cc:X-send-pr-version:X-GNATS-Notify:Message-Id:Date; b=CM8chiZR1Pkcnaq2MWtPdxINR1i5EU7cwgWPw9H6H7crEuPvxtsD///wF7zJdY7XACvjpjCo4LaSLXxGsSsM9GNJz+AUIPJR9dOOyuUWAWfmeGNRAsPpuTreQhZ+KzWXU3Dw17BcbrRT7Iira5F+l8Sqa0jR1CreZkhmRLc1CKo=; Received: from phoenix.codelabs.ru (ppp91-78-117-2.pppoe.mtu-net.ru [91.78.117.2]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L55Lj-000PzU-2k; Wed, 26 Nov 2008 00:21:35 +0300 To: FreeBSD-gnats-submit@freebsd.org From: Eygene Ryabinkin X-send-pr-version: 3.113 X-GNATS-Notify: dinoex@freebsd.org Message-Id: <20081125212134.7A533F181D@phoenix.codelabs.ru> Date: Wed, 26 Nov 2008 00:21:34 +0300 (MSK) X-Mailman-Approved-At: Tue, 25 Nov 2008 21:27:01 +0000 Cc: freebsd-vuxml@freebsd.org Subject: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 21:21:36 -0000 >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Release notes for CUPS 1.3.10 say that there were potential buffer overflow in the PNG reader code: http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt The corresponding entry in the CUPS bug tracker is at http://www.cups.org/str.php?L2974 >How-To-Repeat: Look at the above URLs. >Fix: The following patch updates the port itself. I had used PORTREVISION of 2, but the patch was made against the clean 1.3.9 tree. If it will be applied simultaneously with the patch in ports/129001, then the PORTVERSION can be set to 1. In this case the below VuXML entry should be changed to reflect this. --- 1.3.9-fix-potential-PNG-buffer-overflow.diff begins here --- >From 95c304d2b3ce819ea68f493f6dcc2fed76ac2029 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Wed, 26 Nov 2008 00:11:53 +0300 See: http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt See: http://www.openwall.com/lists/oss-security/2008/11/25/2 Signed-off-by: Eygene Ryabinkin --- print/cups-base/Makefile | 1 + print/cups-base/files/patch-str2974 | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 0 deletions(-) create mode 100644 print/cups-base/files/patch-str2974 diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile index 87e5ee3..aad7c52 100644 --- a/print/cups-base/Makefile +++ b/print/cups-base/Makefile @@ -7,6 +7,7 @@ PORTNAME= cups PORTVERSION= 1.3.9 +PORTREVISION= 2 DISTVERSIONSUFFIX= -source CATEGORIES= print MASTER_SITES= EASYSW/${PORTNAME}/${DISTVERSION} diff --git a/print/cups-base/files/patch-str2974 b/print/cups-base/files/patch-str2974 new file mode 100644 index 0000000..f407d55 --- /dev/null +++ b/print/cups-base/files/patch-str2974 @@ -0,0 +1,27 @@ +Fix for the buffer overflow in the PNG reading code + +See: http://www.cups.org/str.php?L2974 +Obtained from: http://www.cups.org/strfiles/2974/str2974.patch + +Index: filter/image-png.c +=================================================================== +--- filter/image-png.c (revision 8062) ++++ filter/image-png.c (working copy) +@@ -178,7 +178,7 @@ + { + bufsize = img->xsize * img->ysize; + +- if ((bufsize / img->ysize) != img->xsize) ++ if ((bufsize / img->xsize) != img->ysize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); +@@ -190,7 +190,7 @@ + { + bufsize = img->xsize * img->ysize * 3; + +- if ((bufsize / (img->ysize * 3)) != img->xsize) ++ if ((bufsize / (img->xsize * 3)) != img->ysize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); -- 1.6.0.4 --- 1.3.9-fix-potential-PNG-buffer-overflow.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- cups -- potential buffer overflow in PNG reading code cups-base 1.3.9_2

ChangeLog for CUPS 1.3.10 says:

SECURITY: The PNG image reading code did not validate the image size properly, leading to a potential buffer overflow (STR #2974)

 http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt http://www.openwall.com/lists/oss-security/2008/11/25/2 2008-11-25 today --- vuln.xml ends here ---