[Bug 2156339] Re: LibreOffice 24.2.7-0ubuntu0.24.04.5 crashes (heap corruption) when opening any ZIP-based document (ODF/OOXML)

Lele Fri, 12 Jun 2026 03:35:41 -0700

Thanks for the upload. I tested the candidate package on Ubuntu 24.04
(noble) and can confirm it fixes the heap buffer overflow.


Versions:
  - Affected (current noble-updates/security): libcups2t64 2.4.7-1.2ubuntu7.13
  - Tested fix (from ubuntu-security-proposed PPA): libcups2t64 
2.4.7-1.2ubuntu7.14

Setup: default printer is a queue using a large Konica Minolta vendor PPD
(bizhub C224e, "Generic 36C-6SeriesPS(P)", 749942 bytes), which is what
triggers the bug. Reproducer: open a ZIP-based document (.ods) in
LibreOffice; at load time LibreOffice builds the default-printer object,
libcups parses the PPD and overflows.

Deterministic result with valgrind memcheck (same machine, same .ods, same
large-PPD default printer; the only variable changed is libcups.so.2). Full
before/after log attached as valgrind_cups_7.13_vs_7.14_anon.log:

  PART 1 - libcups 2.4.7-1.2ubuntu7.13 (system):
    Invalid write of size 2 and size 8, repeatedly, in
      _cupsRasterAddError <- _cupsRasterExecPS <- _ppdCacheAssignPresets
      <- _ppdCacheCreateWithPPD   (all in libcups.so.2)
      <- Printer::Printer()       (LibreOffice, caller)

  PART 2 - libcups 2.4.7-1.2ubuntu7.14 (tested, injected via LD_PRELOAD of
  the extracted .deb so nothing else on the system changed):
    ERROR SUMMARY: 0 errors from 0 contexts
    No Invalid write, no _cupsRaster*/_ppdCache* errors. Document converts
    and opens normally.

So the overflow is fixed by 2.4.7-1.2ubuntu7.14.

(Note: without valgrind the crash is non-deterministic on 7.13 — the
out-of-bounds write is always there, but whether glibc aborts with
"corrupted size vs. prev_size" depends on heap layout. The valgrind runs
remove that flakiness and show the write is present on 7.13 and gone on
7.14.)

The fix is currently only in the security-proposed PPA; the noble (24.04)
task is still New. Could you please push 2.4.7-1.2ubuntu7.14 through the
SRU into noble-security/noble-updates so it reaches users via the normal
update channel? Reproduced on multiple 24.04 machines here. Thanks!

** Attachment added: "valgrind_cups_7.13_vs_7.14_anon.log"
   
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/2156339/+attachment/5977050/+files/valgrind_cups_7.13_vs_7.14_anon.log

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156339

Title:
  LibreOffice 24.2.7-0ubuntu0.24.04.5 crashes (heap corruption) when
  opening any ZIP-based document (ODF/OOXML)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cups/+bug/2156339/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2156339] Re: LibreOffice 24.2.7-0ubuntu0.24.04.5 crashes (heap corruption) when opening any ZIP-based document (ODF/OOXML)

Reply via email to