Vulnerability Note VU#218395

CUPS integer overflow vulnerability

Overview

CUPS contains an integer overflow that may allow a remote attacker to cause a vulnerable system to crash.

I. Description

The Common Unix Printing System (CUPS) is a print server that is used and distributed by many Unix-like operating systems. CUPS contains an integer overflow vulnerability that occurs in its image processing library.

From the CUPS bug tracker:

1)filter/image-png.c

img->xsize * img->ysize may overflow (CUPS_IMAGE_MAX_WIDTH and CUPS_IMAGE_MAX_HEIGHT are too big for multiplication).

malloc(img->xsize * img->ysize * 3) can result in a buffer that's too small. Also, the return codes of alot of the mallocs aren't checked, when a NULL pointer is passed to png_read_row, it may be possible to corrupt memory this way as well. I have a .png that does this.

II. Impact

Users who obtain CUPS from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.

III. Solution

Upgrade

Versions newer than 1.3.7 available from the CUPS SVN server have applied a fix to address this issue. Users who obtain CUPS from their operating system vendor should see the systems affected portion of this document for more details.

Restrict access

Restricting access to CUPS servers by using the CUPS configuration directives, firewall rules, or access control lists may mitigate this vulnerability. By default, cupsd listens on port 631/udp. Systems that use CUPS exclusively for local printing should set the Listen directive to localhost:631 in the cupsd configuration file to prevent remote systems from exploiting this vulnerability.

Systems Affected

Vendor	Status	Date Updated
Apple Computer, Inc.	Unknown	25-Apr-2008
Conectiva Inc.	Unknown	25-Apr-2008
Cray Inc.	Unknown	25-Apr-2008
CUPS, the Common UNIX Printing System	Vulnerable	25-Apr-2008
Debian GNU/Linux	Unknown	25-Apr-2008
EMC Corporation	Unknown	25-Apr-2008
Engarde Secure Linux	Unknown	25-Apr-2008
F5 Networks, Inc.	Unknown	25-Apr-2008
Fedora Project	Unknown	25-Apr-2008
FreeBSD, Inc.	Unknown	25-Apr-2008
Fujitsu	Unknown	25-Apr-2008
Gentoo Linux	Vulnerable	30-Apr-2008
Hewlett-Packard Company	Unknown	25-Apr-2008
Hitachi	Unknown	25-Apr-2008
IBM Corporation	Unknown	25-Apr-2008
IBM Corporation (zseries)	Unknown	25-Apr-2008
IBM eServer	Unknown	25-Apr-2008
Ingrian Networks, Inc.	Unknown	25-Apr-2008
Juniper Networks, Inc.	Not Vulnerable	30-Apr-2008
Linux Kernel Archives	Unknown	25-Apr-2008
Mandriva, Inc.	Unknown	25-Apr-2008
Microsoft Corporation	Not Vulnerable	30-Apr-2008
MontaVista Software, Inc.	Unknown	25-Apr-2008
NEC Corporation	Unknown	25-Apr-2008
NetBSD	Not Vulnerable	30-Apr-2008
Nokia	Unknown	25-Apr-2008
Novell, Inc.	Unknown	25-Apr-2008
OpenBSD	Unknown	25-Apr-2008
Openwall GNU/*/Linux	Unknown	25-Apr-2008
QNX, Software Systems, Inc.	Unknown	25-Apr-2008
Red Hat, Inc.	Unknown	25-Apr-2008
Silicon Graphics, Inc.	Unknown	25-Apr-2008
Slackware Linux Inc.	Unknown	25-Apr-2008
Sony Corporation	Unknown	25-Apr-2008
Sun Microsystems, Inc.	Unknown	25-Apr-2008
SUSE Linux	Unknown	25-Apr-2008
The SCO Group	Unknown	25-Apr-2008
Trustix Secure Linux	Unknown	25-Apr-2008
Turbolinux	Unknown	25-Apr-2008
Ubuntu	Unknown	25-Apr-2008
Wind River Systems, Inc.	Unknown	25-Apr-2008

References

http://www.cups.org/str.php?L2790
http://www.cups.org/software.php
http://www.cups.org/documentation.php/man-cupsd.conf.html
https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow
http://en.wikipedia.org/wiki/Integer_overflow

Credit

This document was written by Dean Reges.

Other Information

Date Public	04/15/2008
Date First Published	04/25/2008 11:48:56 AM
Date Last Updated	04/30/2008
CERT Advisory
CVE Name	CVE-2008-1722
US-CERT Technical Alerts
Metric	8.33
Document Revision	41

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader