Vulnerability Note VU#218395

CUPS integer overflow vulnerability

Original Release date: 25 Apr 2008 | Last revised: 30 Apr 2008

Overview

CUPS contains an integer overflow that may allow a remote attacker to cause a vulnerable system to crash.

Description

The Common Unix Printing System (CUPS) is a print server that is used and distributed by many Unix-like operating systems. CUPS contains an integer overflow vulnerability that occurs in its image processing library.

From the CUPS bug tracker:

    1)filter/image-png.c

    img->xsize * img->ysize may overflow (CUPS_IMAGE_MAX_WIDTH and CUPS_IMAGE_MAX_HEIGHT are too big for multiplication).

    malloc(img->xsize * img->ysize * 3) can result in a buffer that's too small. Also, the return codes of alot of the mallocs aren't checked, when a NULL pointer is passed to png_read_row, it may be possible to corrupt memory this way as well. I have a .png that does this.

Impact

Users who obtain CUPS from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.

Solution

Upgrade
Versions newer than 1.3.7 available from the CUPS SVN server have applied a fix to address this issue. Users who obtain CUPS from their operating system vendor should see the systems affected portion of this document for more details.


Restrict access

Restricting access to CUPS servers by using the CUPS configuration directives, firewall rules, or access control lists may mitigate this vulnerability. By default, cupsd listens on port 631/udp. Systems that use CUPS exclusively for local printing should set the Listen directive to localhost:631 in the cupsd configuration file to prevent remote systems from exploiting this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CUPS, the Common UNIX Printing SystemAffected-25 Apr 2008
Gentoo LinuxAffected25 Apr 200830 Apr 2008
Juniper Networks, Inc.Not Affected25 Apr 200830 Apr 2008
Microsoft CorporationNot Affected25 Apr 200830 Apr 2008
NetBSDNot Affected25 Apr 200830 Apr 2008
Apple Computer, Inc.Unknown25 Apr 200825 Apr 2008
Conectiva Inc.Unknown25 Apr 200825 Apr 2008
Cray Inc.Unknown25 Apr 200825 Apr 2008
Debian GNU/LinuxUnknown25 Apr 200825 Apr 2008
EMC CorporationUnknown25 Apr 200825 Apr 2008
Engarde Secure LinuxUnknown25 Apr 200825 Apr 2008
F5 Networks, Inc.Unknown25 Apr 200825 Apr 2008
Fedora ProjectUnknown25 Apr 200825 Apr 2008
FreeBSD, Inc.Unknown25 Apr 200825 Apr 2008
FujitsuUnknown25 Apr 200825 Apr 2008
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Dean Reges.

Other Information

  • CVE IDs: CVE-2008-1722
  • Date Public: 15 Apr 2008
  • Date First Published: 25 Apr 2008
  • Date Last Updated: 30 Apr 2008
  • Severity Metric: 8.33
  • Document Revision: 41

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.