From rea-fbsd@codelabs.ru  Tue Nov 25 21:21:36 2008
Return-Path: <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 531B21065673;
	Tue, 25 Nov 2008 21:21:36 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 0C4C98FC13;
	Tue, 25 Nov 2008 21:21:36 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from phoenix.codelabs.ru (ppp91-78-117-2.pppoe.mtu-net.ru [91.78.117.2])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1L55Lj-000PzU-2k; Wed, 26 Nov 2008 00:21:35 +0300
Message-Id: <20081125212134.7A533F181D@phoenix.codelabs.ru>
Date: Wed, 26 Nov 2008 00:21:34 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: freebsd-vuxml@freebsd.org
Subject: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader
X-Send-Pr-Version: 3.113
X-GNATS-Notify: dinoex@freebsd.org

>Number:         129193
>Category:       ports
>Synopsis:       [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    dinoex
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 25 21:30:02 UTC 2008
>Closed-Date:    Fri Nov 28 09:13:24 CET 2008
>Last-Modified:  Mon Dec  1 15:30:01 UTC 2008
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE i386
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE i386

>Description:

Release notes for CUPS 1.3.10 say that there were potential buffer
overflow in the PNG reader code:
  http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt

The corresponding entry in the CUPS bug tracker is at
  http://www.cups.org/str.php?L2974

>How-To-Repeat:

Look at the above URLs.

>Fix:

The following patch updates the port itself.  I had used PORTREVISION
of 2, but the patch was made against the clean 1.3.9 tree.  If it will
be applied simultaneously with the patch in ports/129001, then the
PORTVERSION can be set to 1.  In this case the below VuXML entry
should be changed to reflect this.

--- 1.3.9-fix-potential-PNG-buffer-overflow.diff begins here ---
From 95c304d2b3ce819ea68f493f6dcc2fed76ac2029 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Wed, 26 Nov 2008 00:11:53 +0300

See: http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt
See: http://www.openwall.com/lists/oss-security/2008/11/25/2

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 print/cups-base/Makefile            |    1 +
 print/cups-base/files/patch-str2974 |   27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 0 deletions(-)
 create mode 100644 print/cups-base/files/patch-str2974

diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile
index 87e5ee3..aad7c52 100644
--- a/print/cups-base/Makefile
+++ b/print/cups-base/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	cups
 PORTVERSION=	1.3.9
+PORTREVISION=	2
 DISTVERSIONSUFFIX=	-source
 CATEGORIES=	print
 MASTER_SITES=	EASYSW/${PORTNAME}/${DISTVERSION}
diff --git a/print/cups-base/files/patch-str2974 b/print/cups-base/files/patch-str2974
new file mode 100644
index 0000000..f407d55
--- /dev/null
+++ b/print/cups-base/files/patch-str2974
@@ -0,0 +1,27 @@
+Fix for the buffer overflow in the PNG reading code
+
+See: http://www.cups.org/str.php?L2974
+Obtained from: http://www.cups.org/strfiles/2974/str2974.patch
+
+Index: filter/image-png.c
+===================================================================
+--- filter/image-png.c	(revision 8062)
++++ filter/image-png.c	(working copy)
+@@ -178,7 +178,7 @@
+     {
+       bufsize = img->xsize * img->ysize;
+ 
+-      if ((bufsize / img->ysize) != img->xsize)
++      if ((bufsize / img->xsize) != img->ysize)
+       {
+ 	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+ 		(unsigned)width, (unsigned)height);
+@@ -190,7 +190,7 @@
+     {
+       bufsize = img->xsize * img->ysize * 3;
+ 
+-      if ((bufsize / (img->ysize * 3)) != img->xsize)
++      if ((bufsize / (img->xsize * 3)) != img->ysize)
+       {
+ 	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+ 		(unsigned)width, (unsigned)height);
-- 
1.6.0.4
--- 1.3.9-fix-potential-PNG-buffer-overflow.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="unknown">
    <topic>cups -- potential buffer overflow in PNG reading code</topic>
    <affects>
      <package>
	<name>cups-base</name>
	<range><lt>1.3.9_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>ChangeLog for CUPS 1.3.10 says:</p>
	<blockquote cite="http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt">

	  <p>SECURITY: The PNG image reading code did not validate
	  the image size properly, leading to a potential buffer
	  overflow (STR #2974)</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt</url>
      <mlist>http://www.openwall.com/lists/oss-security/2008/11/25/2</mlist>
    </references>
    <dates>
      <discovery>2008-11-25</discovery>
      <entry>today</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->dinoex 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Tue Nov 25 21:30:16 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129193 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/129193: commit references a PR
Date: Fri, 28 Nov 2008 07:33:45 +0000 (UTC)

 dinoex      2008-11-28 07:33:34 UTC
 
   FreeBSD ports repository
 
   Modified files:
     print/cups-base      Makefile 
   Added files:
     print/cups-base/files patch-str2974 
   Log:
   - Fix integer overflow in PNG validation
   Security: http://www.cups.org/str.php?L2974
   PR:             129193
   
   Revision  Changes    Path
   1.105     +1 -1      ports/print/cups-base/Makefile
   1.1       +27 -0     ports/print/cups-base/files/patch-str2974 (new)
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: dinoex 
State-Changed-When: Fri Nov 28 09:13:06 CET 2008 
State-Changed-Why:  
committed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129193 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: dinoex@FreeBSD.org
Cc: bug-followup@freebsd.org
Subject: Re: ports/129193: [vuxml] [patch] print/cups-base: fix buffer
	overflow in the PNG reader
Date: Fri, 28 Nov 2008 14:34:47 +0300

 --sm4nu43k4a2Rpi4c
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Dirk, good day.
 
 Fri, Nov 28, 2008 at 09:13:23AM +0100, dinoex@FreeBSD.org wrote:
 > Synopsis: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG=
  reader
 >=20
 > State-Changed-From-To: open->closed
 > State-Changed-By: dinoex
 > State-Changed-When: Fri Nov 28 09:13:06 CET 2008
 > State-Changed-Why:=20
 > committed, thanks.
 
 Thanks for commiting this!  But what about VuXML entry?
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --sm4nu43k4a2Rpi4c
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkkv11cACgkQthUKNsbL7YgVjACgoxySA4xnqpSknGGUTd63XeaE
 iBEAnRvtpOyTRijx8jGRCwuCZq+Nb/of
 =6/eB
 -----END PGP SIGNATURE-----
 
 --sm4nu43k4a2Rpi4c--

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: bug-followup@freebsd.org
Cc: miwi@freebsd.org
Subject: Re: ports/129193: [vuxml] [patch] print/cups-base: fix buffer
	overflow in the PNG reader
Date: Mon, 1 Dec 2008 18:26:09 +0300

 --2VXyA7JGja7B50zs
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 CVE-2008-5286 was allocated to this problem:
   http://www.openwall.com/lists/oss-security/2008/12/01/3
 so I am adding this to the VuXML entry.  Also changed tabs to spaces
 and added uuid.
 
 --- vuln.xml begins here ---
   <vuln vid=3D"b011433c-bfbb-11dd-8644-001b77d09812">
     <topic>cups -- potential buffer overflow in PNG reading code</topic>
     <affects>
       <package>
         <name>cups-base</name>
         <range><lt>1.3.9_2</lt></range>
       </package>
     </affects>
     <description>
       <body xmlns=3D"http://www.w3.org/1999/xhtml">
         <p>ChangeLog for CUPS 1.3.10 says:</p>
         <blockquote
           cite=3D"http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt">
           <p>SECURITY: The PNG image reading code did not validate
           the image size properly, leading to a potential buffer
           overflow (STR #2974)</p>
         </blockquote>
       </body>
     </description>
     <references>
       <url>http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt</url>
       <mlist>http://www.openwall.com/lists/oss-security/2008/11/25/2</mlist>
       <cvename>CVE-2008-5286</cvename>
     </references>
     <dates>
       <discovery>2008-11-25</discovery>
       <entry>TODAY</entry>
     </dates>
   </vuln>
 --- vuln.xml ends here ---
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --2VXyA7JGja7B50zs
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkk0AhEACgkQthUKNsbL7Yi9fwCeIL/jYkRaLiOdCJi/3q9ieHd2
 s94An3TEydDEiky9kFJLcXPshTh5dcC0
 =D8Ge
 -----END PGP SIGNATURE-----
 
 --2VXyA7JGja7B50zs--
>Unformatted:
