-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:281 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cups Date : October 19, 2009 Affected: Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap (CVE-2009-0146, CVE-2009-0147). Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and earlier allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a crafted TIFF image, which is not properly handled by the (1) _cupsImageReadTIFF function in the imagetops filter and (2) imagetoraster filter, leading to a heap-based buffer overflow (CVE-2009-0163). Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, as used in Poppler and other products, when running on Mac OS X, has unspecified impact, related to g*allocn (CVE-2009-0165). The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory (CVE-2009-0166). Multiple integer overflows in the pdftops filter in CUPS 1.1.17, 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF file that triggers a heap-based buffer overflow, possibly related to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4) JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the JBIG2Stream.cxx vector may overlap CVE-2009-1179 (CVE-2009-0791). The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 does not properly initialize memory for IPP request packets, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a scheduler request with two consecutive IPP_TAG_UNSUPPORTED tags (CVE-2009-0949). Two integer overflow flaws were found in the CUPS pdftops filter. An attacker could create a malicious PDF file that would cause pdftops to crash or, potentially, execute arbitrary code as the lp user if the file was printed. (CVE-2009-3608, CVE-2009-3609) This update corrects the problems. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609 _______________________________________________________________________ Updated Packages: Corporate 4.0: 57fb29098baca176b04941fdf7d5c550 corporate/4.0/i586/cups-1.2.4-0.12.20060mlcs4.i586.rpm 37087bf2fd62f470c776634f75e91689 corporate/4.0/i586/cups-common-1.2.4-0.12.20060mlcs4.i586.rpm 6fd53fc460336a672ddf073d0854bd38 corporate/4.0/i586/cups-serial-1.2.4-0.12.20060mlcs4.i586.rpm bdecceaf7594a24fa8fff83cb647a49b corporate/4.0/i586/libcups2-1.2.4-0.12.20060mlcs4.i586.rpm a368140c97ada3e036fab372ada3c061 corporate/4.0/i586/libcups2-devel-1.2.4-0.12.20060mlcs4.i586.rpm 7a42fb1da9f89b51a3fb2d046163365a corporate/4.0/i586/php-cups-1.2.4-0.12.20060mlcs4.i586.rpm 4188bab8bdcf0b31285cf8718910be96 corporate/4.0/SRPMS/cups-1.2.4-0.12.20060mlcs4.src.rpm Corporate 4.0/X86_64: 4b5dfea8300468703dd931cd8c9d319c corporate/4.0/x86_64/cups-1.2.4-0.12.20060mlcs4.x86_64.rpm d5842ffe89db6334069202dfe59a60a4 corporate/4.0/x86_64/cups-common-1.2.4-0.12.20060mlcs4.x86_64.rpm 03addb21b7f80f74b76bf5de1ad9f553 corporate/4.0/x86_64/cups-serial-1.2.4-0.12.20060mlcs4.x86_64.rpm e61669b6a72afaaf980f2d0e2186f716 corporate/4.0/x86_64/lib64cups2-1.2.4-0.12.20060mlcs4.x86_64.rpm b827d727711d51f60a3fdf7252e5021e corporate/4.0/x86_64/lib64cups2-devel-1.2.4-0.12.20060mlcs4.x86_64.rpm 932e3d535caefa568055d80517461bc1 corporate/4.0/x86_64/php-cups-1.2.4-0.12.20060mlcs4.x86_64.rpm 4188bab8bdcf0b31285cf8718910be96 corporate/4.0/SRPMS/cups-1.2.4-0.12.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFK3NfrmqjQ0CJFipgRArzuAJ423zY3gOp7swQJk0zzE5b1soEo8gCfSVsP 9zRihLK9oU3JdSRjcW8Wr+4= =Pc+B -----END PGP SIGNATURE-----