Vulnerability Note VU#218395

CUPS integer overflow vulnerability

From the CUPS bug tracker:

1)filter/image-png.c

img->xsize * img->ysize may overflow (CUPS_IMAGE_MAX_WIDTH and CUPS_IMAGE_MAX_HEIGHT are too big for multiplication).

malloc(img->xsize * img->ysize * 3) can result in a buffer that's too small. Also, the return codes of alot of the mallocs aren't checked, when a NULL pointer is passed to png_read_row, it may be possible to corrupt memory this way as well. I have a .png that does this.

Versions newer than 1.3.7 available from the CUPS SVN server have applied a fix to address this issue. Users who obtain CUPS from their operating system vendor should see the systems affected portion of this document for more details.

Restrict access

Restricting access to CUPS servers by using the CUPS configuration directives, firewall rules, or access control lists may mitigate this vulnerability. By default, cupsd listens on port 631/udp. Systems that use CUPS exclusively for local printing should set the Listen directive to localhost:631 in the cupsd configuration file to prevent remote systems from exploiting this vulnerability.

Systems Affected

http://www.cups.org/str.php?L2790
http://www.cups.org/software.php
http://www.cups.org/documentation.php/man-cupsd.conf.html
https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow
http://en.wikipedia.org/wiki/Integer_overflow

Credit

This document was written by Dean Reges.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.