Bug 3072

Summary:	CVE-2011-2896, CVE-2011-3170: security update for CUPS
Product:	Mageia	Reporter:	Florian Hubold <doktor5000>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, sysadmin-bugs, tmb
Version:	1	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:		CVE:
Status comment:

Description Florian Hubold 2011-10-16 17:53:15 CEST

CVE-2011-3170

The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896.

Florian Hubold 2011-10-16 17:53:30 CEST

Status: NEW => ASSIGNED

Comment 1 Florian Hubold 2011-10-17 15:03:34 CEST

CVE-2011-2896

The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.

Comment 2 Florian Hubold 2011-11-03 18:40:14 CET

There is now cups-1.4.6-3.1.mga1 in core/updates_testing to validate
-------------------------------------------------------


Suggested advisory:
-------------------
This update addresses the following CVEs:

CVE-2011-2896
The LZW decompressor in the LWZReadByte function in giftoppm.c in
the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw
function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte
function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier,
the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4
and earlier, and other products, does not properly handle code words
that are absent from the decompression table when encountered, which
allows remote attackers to trigger an infinite loop or a heap-based
buffer overflow, and possibly execute arbitrary code, via a crafted
compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895


CVE-2011-3170
The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and
earlier does not properly handle the first code word in an LZW stream,
which allows remote attackers to trigger a heap-based buffer overflow,
and possibly execute arbitrary code, via a crafted stream, a different
vulnerability than CVE-2011-2896

-------------------------------------------------------
Steps to reproduce:

- install/update to update candidate
- check that everything works and there are no regressions
- a POC for CVE-2011-2896 is available: http://cups.org/str.php?L3867
- a POC for CVE-2011-3170 is available: http://cups.org/str.php?L3914

Assignee: doktor5000 => qa-bugs

Florian Hubold 2011-11-03 18:40:38 CET

Summary: CVE-2011-3170: security update for CUPS => CVE-2011-2896, CVE-2011-3170: security update for CUPS

Comment 3 claire robinson 2011-11-03 19:17:44 CET

Thankyou for the POC's. I'm not really sure what to do with those files though. They create errors in applications when opening them but I'm assuming you need to print them somehow.

My printer is on a remote cups server which doesn't run mageia or even a recent cups, will that affect testing this?

Comment 4 Dave Hodgins 2011-11-04 00:57:41 CET

Testing complete on i586 for the srpm
cups-1.4.6-3.1.mga1.src.rpm

Using http://cups.org/strfiles/3867/fuzzed.gif
lp fuzzed.gif caused a segfault in libcupsimage.so.2

Using http://cups.org/strfiles/3914/test.gif did not create any faults.

After installing the update using mgaapplet, the segfault no longer
occurs.  Also used the cups interface to ensure printing a test
page still works.

CC: (none) => davidwhodgins

Comment 5 claire robinson 2011-11-04 10:27:53 CET

Tested OK x86_64

Advisory
------------------
This update addresses the following CVEs:

CVE-2011-2896
The LZW decompressor in the LWZReadByte function in giftoppm.c in
the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw
function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte
function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier,
the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4
and earlier, and other products, does not properly handle code words
that are absent from the decompression table when encountered, which
allows remote attackers to trigger an infinite loop or a heap-based
buffer overflow, and possibly execute arbitrary code, via a crafted
compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895


CVE-2011-3170
The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and
earlier does not properly handle the first code word in an LZW stream,
which allows remote attackers to trigger a heap-based buffer overflow,
and possibly execute arbitrary code, via a crafted stream, a different
vulnerability than CVE-2011-2896

-------------------------------------------------------

cups-1.4.6-3.1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/update

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2011-11-04 22:09:25 CET

Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 7 Florian Hubold 2011-11-30 21:46:36 CET

*** Bug 3095 has been marked as a duplicate of this bug. ***

CC: (none) => boklm

Nicolas Vigier 2014-05-08 18:06:13 CEST

CC: boklm => (none)