ID

VAR-200902-0559

CVE

CVE-2009-0577

TITLE

CUPS of WriteProlog Integer overflow vulnerability in functions

DESCRIPTION

Integer overflow in the WriteProlog function in texttops in CUPS 1.1.17 on Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to execute arbitrary code via a crafted PostScript file that triggers a heap-based buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2008-3640. CUPS is prone to multiple heap-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before using it to allocate memory buffers. Remote attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Note that local attackers may also exploit these vulnerabilities to elevate privileges. Successful remote exploits may require printer sharing to be enabled on the vulnerable system. These issues affect versions prior to CUPS 1.3.9. Common Unix Printing System (CUPS) is a common Unix printing system and a cross-platform printing solution in the Unix environment. It is based on the Internet Printing Protocol and provides most PostScript and raster printer services. The Silicon Graphics Image (SGI) file format parsing module of CUPS has a heap overflow vulnerability when parsing malformed Run Length Encoded (RLE) data. The cause of the vulnerability is that the read_rle16() function does not properly validate the value of the line read from the file and uses this value to control how many 16-bit integers are stored in the heap buffer. If a small graphics dimension and a large number of lines are provided, it will May trigger a heap overflow. The WriteProlog() function of the CUPS texttops application uses multiple values ​​obtained from attacker-controlled content in the multiplication operation when calculating the page size used to store PostScript data. This calculation may overflow, resulting in an incorrect total page size. size. This value is then used to allocate a heap buffer filled with attacker-controlled content, triggering a heap overflow. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. This is related to: SA29809 SOLUTION: Updated packages are available via Red Hat Network. 1) Two boundary errors exist in the implementation of the HP-GL/2 filter. 2) A boundary error exists within the "read_rle16()" function when processing SGI (Silicon Graphics Image) files. PROVIDED AND/OR DISCOVERED BY: 1) regenrecht, reported via ZDI 2, 3) regenrecht, reported via iDefense CHANGELOG: 2008-10-10: Updated CVE reference list. For more information: SA32226 The vulnerabilities affect all Avaya Messaging Storage Server versions. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 15 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. Learn more / Download (instant access): http://secunia.com/network_software_inspector_2/ ---------------------------------------------------------------------- TITLE: CUPS PNG Filter Integer Overflow Vulnerability SECUNIA ADVISORY ID: SA29809 VERIFY ADVISORY: http://secunia.com/advisories/29809/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: CUPS 1.x http://secunia.com/product/921/ DESCRIPTION: Thomas Pollet has reported a vulnerability in CUPS, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to two integer overflow errors in filter/image-png.c when processing PNG files. These can be exploited to cause a heap-based buffer overflow via overly large width and height PNG fields. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version 1.3.7. Other versions may also be affected. SOLUTION: Fixed in the SVN repository. Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Thomas Pollet ORIGINAL ADVISORY: http://www.cups.org/str.php?L2790 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

digital error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Secunia

SOURCES

LAST UPDATE DATE

2024-11-23T19:43:18.917000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE