CVE-2011-3170 The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896.
Status: NEW => ASSIGNED
CVE-2011-2896 The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.
There is now cups-1.4.6-3.1.mga1 in core/updates_testing to validate ------------------------------------------------------- Suggested advisory: ------------------- This update addresses the following CVEs: CVE-2011-2896 The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895 CVE-2011-3170 The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896 ------------------------------------------------------- Steps to reproduce: - install/update to update candidate - check that everything works and there are no regressions - a POC for CVE-2011-2896 is available: http://cups.org/str.php?L3867 - a POC for CVE-2011-3170 is available: http://cups.org/str.php?L3914
Assignee: doktor5000 => qa-bugs
Summary: CVE-2011-3170: security update for CUPS => CVE-2011-2896, CVE-2011-3170: security update for CUPS
Thankyou for the POC's. I'm not really sure what to do with those files though. They create errors in applications when opening them but I'm assuming you need to print them somehow. My printer is on a remote cups server which doesn't run mageia or even a recent cups, will that affect testing this?
Testing complete on i586 for the srpm cups-1.4.6-3.1.mga1.src.rpm Using http://cups.org/strfiles/3867/fuzzed.gif lp fuzzed.gif caused a segfault in libcupsimage.so.2 Using http://cups.org/strfiles/3914/test.gif did not create any faults. After installing the update using mgaapplet, the segfault no longer occurs. Also used the cups interface to ensure printing a test page still works.
CC: (none) => davidwhodgins
Tested OK x86_64 Advisory ------------------ This update addresses the following CVEs: CVE-2011-2896 The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895 CVE-2011-3170 The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896 ------------------------------------------------------- cups-1.4.6-3.1.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/update Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed.
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
*** Bug 3095 has been marked as a duplicate of this bug. ***
CC: (none) => boklm
CC: boklm => (none)