Date: Wed, 26 Nov 2008 00:21:34 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Cc: freebsd-vuxml@freebsd.org Subject: ports/129193: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader Message-ID: <20081125212134.7A533F181D@phoenix.codelabs.ru> Resent-Message-ID: <200811252130.mAPLU2hv022172@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129193 >Category: ports >Synopsis: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 25 21:30:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Release notes for CUPS 1.3.10 say that there were potential buffer overflow in the PNG reader code: http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt The corresponding entry in the CUPS bug tracker is at http://www.cups.org/str.php?L2974 >How-To-Repeat: Look at the above URLs. >Fix: The following patch updates the port itself. I had used PORTREVISION of 2, but the patch was made against the clean 1.3.9 tree. If it will be applied simultaneously with the patch in ports/129001, then the PORTVERSION can be set to 1. In this case the below VuXML entry should be changed to reflect this. --- 1.3.9-fix-potential-PNG-buffer-overflow.diff begins here --- >From 95c304d2b3ce819ea68f493f6dcc2fed76ac2029 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Wed, 26 Nov 2008 00:11:53 +0300 See: http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt See: http://www.openwall.com/lists/oss-security/2008/11/25/2 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- print/cups-base/Makefile | 1 + print/cups-base/files/patch-str2974 | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 0 deletions(-) create mode 100644 print/cups-base/files/patch-str2974 diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile index 87e5ee3..aad7c52 100644 --- a/print/cups-base/Makefile +++ b/print/cups-base/Makefile @@ -7,6 +7,7 @@ PORTNAME= cups PORTVERSION= 1.3.9 +PORTREVISION= 2 DISTVERSIONSUFFIX= -source CATEGORIES= print MASTER_SITES= EASYSW/${PORTNAME}/${DISTVERSION} diff --git a/print/cups-base/files/patch-str2974 b/print/cups-base/files/patch-str2974 new file mode 100644 index 0000000..f407d55 --- /dev/null +++ b/print/cups-base/files/patch-str2974 @@ -0,0 +1,27 @@ +Fix for the buffer overflow in the PNG reading code + +See: http://www.cups.org/str.php?L2974 +Obtained from: http://www.cups.org/strfiles/2974/str2974.patch + +Index: filter/image-png.c +=================================================================== +--- filter/image-png.c (revision 8062) ++++ filter/image-png.c (working copy) +@@ -178,7 +178,7 @@ + { + bufsize = img->xsize * img->ysize; + +- if ((bufsize / img->ysize) != img->xsize) ++ if ((bufsize / img->xsize) != img->ysize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); +@@ -190,7 +190,7 @@ + { + bufsize = img->xsize * img->ysize * 3; + +- if ((bufsize / (img->ysize * 3)) != img->xsize) ++ if ((bufsize / (img->xsize * 3)) != img->ysize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); -- 1.6.0.4 --- 1.3.9-fix-potential-PNG-buffer-overflow.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="unknown"> <topic>cups -- potential buffer overflow in PNG reading code</topic> <affects> <package> <name>cups-base</name> <range><lt>1.3.9_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>ChangeLog for CUPS 1.3.10 says:</p> <blockquote cite="http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt">; <p>SECURITY: The PNG image reading code did not validate the image size properly, leading to a potential buffer overflow (STR #2974)</p> </blockquote> </body> </description> <references> <url>http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt</url>; <mlist>http://www.openwall.com/lists/oss-security/2008/11/25/2</mlist>; </references> <dates> <discovery>2008-11-25</discovery> <entry>today</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081125212134.7A533F181D>