pkg/38534: Fix for cups-1.3.7 security problem

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/38534: Fix for cups-1.3.7 security problem
From: mvergall%telenet.be@localhost
Date: Mon, 28 Apr 2008 12:55:00 +0000 (UTC)

>Number:         38534
>Category:       pkg
>Synopsis:       Fix for cups-1.3.7 security problem
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Mon Apr 28 12:55:00 +0000 2008
>Originator:     Michael C. Vergallen
>Release:        pkgsrc-2008Q1
>Organization:
Michael C. Vergallen
>Environment:
All versions, all machines
>Description:
The fix to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1722 is out. 
why dous nobody bother to cummit the fix instead of warning poeple about this. 
The fix was published the 21 st of this month just after the author recieved 
the report of the problem.


>How-To-Repeat:

>Fix:
Index: image-png.c
===================================================================
--- image-png.c (revision 7434)
+++ image-png.c (working copy)
@@ -3,7 +3,7 @@
  *
  *   PNG image routines for the Common UNIX Printing System (CUPS).
  *
- *   Copyright 2007 by Apple Inc.
+ *   Copyright 2007-2008 by Apple Inc.
  *   Copyright 1993-2007 by Easy Software Products.
  *
  *   These coded instructions, statements, and computer programs are the
@@ -170,16 +170,56 @@
     * Interlaced images must be loaded all at once...
     */
 
+    size_t bufsize;                    /* Size of buffer */
+
+
     if (color_type == PNG_COLOR_TYPE_GRAY ||
        color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
-      in = malloc(img->xsize * img->ysize);
+    {
+      bufsize = img->xsize * img->ysize;
+
+      if ((bufsize / img->ysize) != img->xsize)
+      {
+       fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+               (unsigned)width, (unsigned)height);
+       fclose(fp);
+       return (1);
+      }
+    }
     else
-      in = malloc(img->xsize * img->ysize * 3);
+    {
+      bufsize = img->xsize * img->ysize * 3;
+
+      if ((bufsize / (img->ysize * 3)) != img->xsize)
+      {
+       fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+               (unsigned)width, (unsigned)height);
+       fclose(fp);
+       return (1);
+      }
+    }
+
+    in = malloc(bufsize);
   }
 
   bpp = cupsImageGetDepth(img);
   out = malloc(img->xsize * bpp);
 
+  if (!in || !out)
+  {
+    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
+
+    if (in)
+      free(in);
+
+    if (out)
+      free(out);
+
+    fclose(fp);
+
+    return (1);
+  }
+
  /*
   * Read the image, interlacing as needed...
   */

Prev by Date: pkg/38533: sendmail+ldap/NetBSD 3.1: _res is not supported
Next by Date: Re: PR/38450 CVS commit: pkgsrc/devel/bmake/files
Previous by Thread: pkg/38533: sendmail+ldap/NetBSD 3.1: _res is not supported
Next by Thread: Re: pkg/38534: Fix for cups-1.3.7 security problem
Indexes:

Home | Main Index | Thread Index | Old Index