Bug#324460: cupsys: Missing fix for CAN-2004-0888?

Mon, 22 Aug 2005 01:49:19 -0700 

Package: cupsys
Version: 1.1.23-11
Priority: important
Tags: security

Reviewing the Fedora patches for cupsys I've found that
cups-CAN-2004-0888.patch (attached) is not available as a patch
in the Debian source package. This bug is described as
"Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use
xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code, a
different set of vulnerabilities than those identified by CAN-2004-0889."

And has been fixed in DSA-573, DSA-581, and DSA-599

Please review this patch and apply it if needed.

Thanks

Javier

--- cups-1.1.23/pdftops/XRef.cxx.CAN-2004-0888  2004-10-13 21:55:53.000000000 
+0100
+++ cups-1.1.23/pdftops/XRef.cxx        2005-02-07 16:32:55.429806230 +0000
@@ -76,7 +76,7 @@
 
   // trailer is ok - read the xref table
   } else {
-    if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
+    if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
       error(-1, "Invalid 'size' inside xref table.");
       ok = gFalse;
       errCode = errDamaged;
@@ -291,7 +291,7 @@
     // table size
     if (first + n > size) {
       newSize = first + n;
-      if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+      if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
         error(-1, "Invalid 'newSize'");
         goto err2;
       }
@@ -445,7 +445,7 @@
            if (!strncmp(p, "obj", 3)) {
              if (num >= size) {
                newSize = (num + 1 + 255) & ~255;
-               if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+               if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != 
newSize) {
                  error(-1, "Invalid 'obj' parameters.");
                  return gFalse;
                }
@@ -470,7 +470,7 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
        streamEndsSize += 64;
-        if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
+        if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) {
           error(-1, "Invalid 'endstream' parameter.");
           return gFalse;
         }
--- cups-1.1.23/pdftops/Catalog.cxx.CAN-2004-0888       2004-10-13 
21:55:53.000000000 +0100
+++ cups-1.1.23/pdftops/Catalog.cxx     2005-02-07 16:34:17.268156509 +0000
@@ -64,8 +64,8 @@
   }
   pagesSize = numPages0 = (int)obj.getNum();
   obj.free();
-  if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
-      pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+  if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+      pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
     error(-1, "Invalid 'pagesSize'");
     ok = gFalse;
     return;
@@ -197,7 +197,8 @@
       }
       if (start >= pagesSize) {
        pagesSize += 32;
-        if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize) {
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+           pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
           error(-1, "Invalid 'pagesSize' parameter.");
           goto err3;
         }

Attachment: signature.asc
Description: Digital signature

Reply via email to