From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Nov 25 21:30:04 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DB801065672; Tue, 25 Nov 2008 21:30:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1FA4F8FC1A; Tue, 25 Nov 2008 21:30:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAPLU2Gl022173; Tue, 25 Nov 2008 21:30:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAPLU2hv022172; Tue, 25 Nov 2008 21:30:02 GMT (envelope-from gnats) Resent-Date: Tue, 25 Nov 2008 21:30:02 GMT Resent-Message-Id: <200811252130.mAPLU2hv022172@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: dinoex@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 531B21065673; Tue, 25 Nov 2008 21:21:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 0C4C98FC13; Tue, 25 Nov 2008 21:21:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from phoenix.codelabs.ru (ppp91-78-117-2.pppoe.mtu-net.ru [91.78.117.2]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L55Lj-000PzU-2k; Wed, 26 Nov 2008 00:21:35 +0300 Message-Id: <20081125212134.7A533F181D@phoenix.codelabs.ru> Date: Wed, 26 Nov 2008 00:21:34 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: dinoex@freebsd.org Cc: freebsd-vuxml@freebsd.org Subject: ports/129193: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 21:30:04 -0000 >Number: 129193 >Category: ports >Synopsis: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 25 21:30:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Release notes for CUPS 1.3.10 say that there were potential buffer overflow in the PNG reader code: http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt The corresponding entry in the CUPS bug tracker is at http://www.cups.org/str.php?L2974 >How-To-Repeat: Look at the above URLs. >Fix: The following patch updates the port itself. I had used PORTREVISION of 2, but the patch was made against the clean 1.3.9 tree. If it will be applied simultaneously with the patch in ports/129001, then the PORTVERSION can be set to 1. In this case the below VuXML entry should be changed to reflect this. --- 1.3.9-fix-potential-PNG-buffer-overflow.diff begins here --- >From 95c304d2b3ce819ea68f493f6dcc2fed76ac2029 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Wed, 26 Nov 2008 00:11:53 +0300 See: http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt See: http://www.openwall.com/lists/oss-security/2008/11/25/2 Signed-off-by: Eygene Ryabinkin --- print/cups-base/Makefile | 1 + print/cups-base/files/patch-str2974 | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 0 deletions(-) create mode 100644 print/cups-base/files/patch-str2974 diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile index 87e5ee3..aad7c52 100644 --- a/print/cups-base/Makefile +++ b/print/cups-base/Makefile @@ -7,6 +7,7 @@ PORTNAME= cups PORTVERSION= 1.3.9 +PORTREVISION= 2 DISTVERSIONSUFFIX= -source CATEGORIES= print MASTER_SITES= EASYSW/${PORTNAME}/${DISTVERSION} diff --git a/print/cups-base/files/patch-str2974 b/print/cups-base/files/patch-str2974 new file mode 100644 index 0000000..f407d55 --- /dev/null +++ b/print/cups-base/files/patch-str2974 @@ -0,0 +1,27 @@ +Fix for the buffer overflow in the PNG reading code + +See: http://www.cups.org/str.php?L2974 +Obtained from: http://www.cups.org/strfiles/2974/str2974.patch + +Index: filter/image-png.c +=================================================================== +--- filter/image-png.c (revision 8062) ++++ filter/image-png.c (working copy) +@@ -178,7 +178,7 @@ + { + bufsize = img->xsize * img->ysize; + +- if ((bufsize / img->ysize) != img->xsize) ++ if ((bufsize / img->xsize) != img->ysize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); +@@ -190,7 +190,7 @@ + { + bufsize = img->xsize * img->ysize * 3; + +- if ((bufsize / (img->ysize * 3)) != img->xsize) ++ if ((bufsize / (img->xsize * 3)) != img->ysize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); -- 1.6.0.4 --- 1.3.9-fix-potential-PNG-buffer-overflow.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- cups -- potential buffer overflow in PNG reading code cups-base 1.3.9_2

ChangeLog for CUPS 1.3.10 says:

SECURITY: The PNG image reading code did not validate the image size properly, leading to a potential buffer overflow (STR #2974)

http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt http://www.openwall.com/lists/oss-security/2008/11/25/2 2008-11-25 today
--- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: