CVE-2008-1373: CUPS GIF image filter overflow

It was discovered that GIF parsing code used by CUPS printing system is affected
by similar issue as GIF parsers used by gd / netpbm / tk / SDL_image.

Value of code_size read from GIF image is not properly validate before being
used to initialize table array in gif_read_lzw(), causing a static buffer overflow.

Issue is similar to:
CVE-2006-4484 (gd), CVE-2007-6697 (SDL_image), CVE-2008-0553 (tk), CVE-2008-0554
(netpbm)

Created attachment 298680
Proposed patch

Similar to fixed used in gd / tk / netpbm / SDL_image.

Tracked upstream via: http://www.cups.org/str.php?L2765

Tomas Hoger writes:
Value of code_size is read from GIF image, but not properly validated
before use to initialize table array in gif_read_lzw(). clear_code
used as upper bound in for loop is short, hence overflow is limited to
~16k - 4k short int values. Moreover, attacker has limited control
over the values written past the end of the buffer.

Timo, this issue is under embargo until 2008-03-26. Do not commit anything to CVS until this date. Please prepare an updated ebuild and attach it to this bug, we will do prestable testing here. Thanks.

Created attachment 146667
cups-1.2.12-CVE-2008-1373.patch

Created attachment 146668
cups-1.3.6-CVE-2008-1373.patch

Created attachment 146714
cups-1.2.12-r7.ebuild

Added the patch for CVE-2008-1373 and also removed the unneeded (as also discussed per mail and with upstream) patch for CVE-2007-4045.

Created attachment 146721
cups-1.3.6-r3.ebuild

Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer

(In reply to comment #6)
> Arch Security Liaisons, please test the attached ebuild and report it stable on
> this bug.

That is:
=net-print/cups-1.2.12-r7

Good to go on x86

Looks good on sparc. Tested -1.2.12-r7, remote only, with {.ps, .pdf} files.

HPPA is OK.

looks good on ppc64

looks good on ppc

Adding Tobias for alpha

=net-print/cups-1.2.12-r7 works dandy on alpha.

Created attachment 147078
cups-1.2.12-CVE-2008-0053.patch

Created attachment 147080
cups-1.2.12-r7.ebuild

Ok, cups is killing me these days. Could you please retest with the new -r7 ebuild? Thanks.

CVE-2008-0053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0053):
  Unspecified vulnerability in CUPS before 1.3.6 in Apple Mac OS X 10.5.2 has
  unknown impact and attack vectors related to "input validation."

Apple Advisory:
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html

Impact: Multiple vulnerabilities in CUPS may lead to an unexpected
application termination or arbitrary code execution with system
privileges
Description: Multiple input validation issues exist in CUPS, the
most serious of which may lead to arbitrary code execution with
system privileges. This update addresses the issues by updating to
CUPS 1.3.6. These issues do not affect systems prior to Mac OS X
v10.5.

Tomas Hoger writes:
According to upstream, this CVE id was allocated for following issue fixed in
CUPS 1.3.6 (see CHANGES.txt):

- Fixed two overflow bugs in the HP-GL/2 filter (Coverity)

Local printing ....ok
Remote printing from
  Windows ...ok
  Linux ...ok

x86 good to go...again.

sparc still looks good, too, as described in Comment 9.

looks good on ppc64, too.

HPPA is OK again.

And on alpha, it works, too.

still looks good for ppc

Please note that the embargo has been delayed until Monday, 03/31.

looks good on ppc64

(In reply to comment #24)
> Please note that the embargo has been delayed until Monday, 03/31.

.... and again, Tuesday it is.

This is public now. Printing, please commit with the keywords you gathered.

cups-1.2.12-10.fc7 has been submitted as an update for Fedora 7

Arches, please test and mark stable:
=net-print/cups-1.2.12-r7
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ppc ppc64 sparc x86"
Missing keywords: "arm ia64 m68k release s390 sh"

1.3.6 is unaffected for CVE-2008-0053.

This is GLSA-200804-01 - no joke!

Stable on ia64 by armin76.
Fixed in release snapshot.

*** Bug 215863 has been marked as a duplicate of this bug. ***

cups-1.3.6-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

cups-1.2.12-10.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0192.html
  http://rhn.redhat.com/errata/RHSA-2008-0206.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2897
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2131