Version in base suite: 1.2.7-4etch6 Version in overlay suite: (not present) Base version: cupsys_1.2.7-4etch6 Target version: cupsys_1.2.7-4+etch8 Base file: /org/ftp.debian.org/ftp/pool/main/c/cupsys/cupsys_1.2.7-4etch6.dsc Target file: /org/ftp.debian.org/queue/o-p-u-new/cupsys_1.2.7-4+etch8.dsc cupsys-1.2.7/debian/changelog | 16 ++++++++++++++++ cupsys-1.2.7/debian/patches/00list | 2 ++ debian/patches/82_CVE-2009-0163.dpatch | 19 +++++++++++++++++++ debian/patches/83_CVE-2009-0949.dpatch | 28 ++++++++++++++++++++++++++++ 4 files changed, 65 insertions(+) diff -u cupsys-1.2.7/debian/changelog cupsys-1.2.7/debian/changelog --- cupsys-1.2.7/debian/changelog +++ cupsys-1.2.7/debian/changelog @@ -1,3 +1,19 @@ +cupsys (1.2.7-4+etch8) oldstable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix null pointer dereference on handling IPP_TAG_UNSUPPORTED + leading to denial of service attacks (CVE-2009-0949). + + -- Nico Golde Mon, 25 May 2009 11:18:46 +0000 + +cupsys (1.2.7-4etch7) oldstable-security; urgency=low + + * Add 82_CVE-2009-0163.dpatch: Fix integer overflow induced heap buffer + overflow in the _cupsImageReadTIFF() function. Discovered by iDefense. + (CVE-2009-0163) + + -- Martin Pitt Sat, 04 Apr 2009 06:01:47 -0700 + cupsys (1.2.7-4etch6) stable-security; urgency=high * Non-maintainer upload by the security team diff -u cupsys-1.2.7/debian/patches/00list cupsys-1.2.7/debian/patches/00list --- cupsys-1.2.7/debian/patches/00list +++ cupsys-1.2.7/debian/patches/00list @@ -55,0 +56,2 @@ +82_CVE-2009-0163.dpatch +83_CVE-2009-0949.dpatch only in patch2: unchanged: --- cupsys-1.2.7.orig/debian/patches/83_CVE-2009-0949.dpatch +++ cupsys-1.2.7/debian/patches/83_CVE-2009-0949.dpatch @@ -0,0 +1,28 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 83_CVE-2009-0949.dpatch by Nico Golde +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: fix null ptr dereference CVE-2009-0949 + +@DPATCH@ +diff -urNad cupsys-1.2.7~/scheduler/ipp.c cupsys-1.2.7/scheduler/ipp.c +--- cupsys-1.2.7~/scheduler/ipp.c 2006-10-20 20:35:41.000000000 +0000 ++++ cupsys-1.2.7/scheduler/ipp.c 2009-05-25 11:05:44.000000000 +0000 +@@ -298,7 +298,7 @@ + */ + + attr = con->request->attrs; +- if (attr && !strcmp(attr->name, "attributes-charset") && ++ if (attr && attr->name && !strcmp(attr->name, "attributes-charset") && + (attr->value_tag & IPP_TAG_MASK) == IPP_TAG_CHARSET) + charset = attr; + else +@@ -307,7 +307,7 @@ + if (attr) + attr = attr->next; + +- if (attr && !strcmp(attr->name, "attributes-natural-language") && ++ if (attr && attr->name && !strcmp(attr->name, "attributes-natural-language") && + (attr->value_tag & IPP_TAG_MASK) == IPP_TAG_LANGUAGE) + language = attr; + else only in patch2: unchanged: --- cupsys-1.2.7.orig/debian/patches/82_CVE-2009-0163.dpatch +++ cupsys-1.2.7/debian/patches/82_CVE-2009-0163.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 81_CVE-2009-0163.dpatch by Martin Pitt +## +## DP: Fix integer overflow induced heap buffer overflow in the +## DP: _cupsImageReadTIFF() function. Discovered by iDefense. [CVE-2009-0163] +@DPATCH@ +--- a/filter/image-private.h 2007-07-11 14:46:42.000000000 -0700 ++++ b/filter/image-private.h 2009-04-04 05:54:00.045486999 -0700 +@@ -41,8 +41,8 @@ + + # define CUPS_IMAGE_MAX_WIDTH 0x07ffffff + /* 2^27-1 to allow for 15-channel data */ +-# define CUPS_IMAGE_MAX_HEIGHT 0x7fffffff +- /* 2^31-1 */ ++# define CUPS_IMAGE_MAX_HEIGHT 0x3fffffff ++ /* 2^30-1 */ + + # define CUPS_TILE_SIZE 256 /* 256x256 pixel tiles */ + # define CUPS_TILE_MINIMUM 10 /* Minimum number of tiles */