Package: cupsys Version: 1.1.23-11 Priority: important Tags: security Reviewing the Fedora patches for cupsys I've found that cups-CAN-2004-0888.patch (attached) is not available as a patch in the Debian source package. This bug is described as "Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CAN-2004-0889." And has been fixed in DSA-573, DSA-581, and DSA-599 Please review this patch and apply it if needed. Thanks Javier
--- cups-1.1.23/pdftops/XRef.cxx.CAN-2004-0888 2004-10-13 21:55:53.000000000 +0100 +++ cups-1.1.23/pdftops/XRef.cxx 2005-02-07 16:32:55.429806230 +0000 @@ -76,7 +76,7 @@ // trailer is ok - read the xref table } else { - if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { + if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != size) { error(-1, "Invalid 'size' inside xref table."); ok = gFalse; errCode = errDamaged; @@ -291,7 +291,7 @@ // table size if (first + n > size) { newSize = first + n; - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { error(-1, "Invalid 'newSize'"); goto err2; } @@ -445,7 +445,7 @@ if (!strncmp(p, "obj", 3)) { if (num >= size) { newSize = (num + 1 + 255) & ~255; - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { error(-1, "Invalid 'obj' parameters."); return gFalse; } @@ -470,7 +470,7 @@ } else if (!strncmp(p, "endstream", 9)) { if (streamEndsLen == streamEndsSize) { streamEndsSize += 64; - if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) { + if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) { error(-1, "Invalid 'endstream' parameter."); return gFalse; } --- cups-1.1.23/pdftops/Catalog.cxx.CAN-2004-0888 2004-10-13 21:55:53.000000000 +0100 +++ cups-1.1.23/pdftops/Catalog.cxx 2005-02-07 16:34:17.268156509 +0000 @@ -64,8 +64,8 @@ } pagesSize = numPages0 = (int)obj.getNum(); obj.free(); - if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || - pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) { error(-1, "Invalid 'pagesSize'"); ok = gFalse; return; @@ -197,7 +197,8 @@ } if (start >= pagesSize) { pagesSize += 32; - if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize) { + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) { error(-1, "Invalid 'pagesSize' parameter."); goto err3; }
Attachment:
signature.asc
Description: Digital signature