search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CUPS integer overflow vulnerability

Vulnerability Note VU#218395

Original Release Date: 2008-04-25 | Last Revised: 2008-04-30

Overview

CUPS contains an integer overflow that may allow a remote attacker to cause a vulnerable system to crash.

Description

The Common Unix Printing System (CUPS) is a print server that is used and distributed by many Unix-like operating systems. CUPS contains an integer overflow vulnerability that occurs in its image processing library.

From the CUPS bug tracker:
1)filter/image-png.c

img->xsize * img->ysize may overflow (CUPS_IMAGE_MAX_WIDTH and CUPS_IMAGE_MAX_HEIGHT are too big for multiplication).

malloc(img->xsize * img->ysize * 3) can result in a buffer that's too small. Also, the return codes of alot of the mallocs aren't checked, when a NULL pointer is passed to png_read_row, it may be possible to corrupt memory this way as well. I have a .png that does this.

Impact

Users who obtain CUPS from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.

Solution

Upgrade

Versions newer than 1.3.7 available from the CUPS SVN server have applied a fix to address this issue. Users who obtain CUPS from their operating system vendor should see the systems affected portion of this document for more details.


Restrict access

Restricting access to CUPS servers by using the CUPS configuration directives, firewall rules, or access control lists may mitigate this vulnerability. By default, cupsd listens on port 631/udp. Systems that use CUPS exclusively for local printing should set the Listen directive to localhost:631 in the cupsd configuration file to prevent remote systems from exploiting this vulnerability.

Vendor Information

218395
 
Affected   Unknown   Unaffected

CUPS, the Common UNIX Printing System

Updated:  April 25, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux

Notified:  April 25, 2008 Updated:  April 30, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://www.gentoo.org/security/en/glsa/glsa-200804-23.xml for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks, Inc.

Notified:  April 25, 2008 Updated:  April 30, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Juniper Networks products are not susceptible to this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  April 25, 2008 Updated:  April 30, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD

Notified:  April 25, 2008 Updated:  April 30, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC Corporation

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Linux Kernel Archives

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  April 25, 2008 Updated:  April 25, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This document was written by Dean Reges.

Other Information

CVE IDs: CVE-2008-1722
Severity Metric: 8.33
Date Public: 2008-04-15
Date First Published: 2008-04-25
Date Last Updated: 2008-04-30 15:38 UTC
Document Revision: 41

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.