Multiple integer overflows in (1) filter/image-png.c and (2) filter/image-zoom.c in CUPS 1.3 allow attackers to cause a denial of service (crash) and trigger memory corruption, as demonstrated via a crafted PNG image.

From Red Hat Security Advisory 2008:1028 :

Updated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Common UNIX(r) Printing System (CUPS) provides a portable printing layer for UNIX operating systems.

An integer overflow flaw, leading to a heap buffer overflow, was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image-converting filters, 'imagetops' and 'imagetoraster'. An attacker could create a malicious PNG file that could, potentially, execute arbitrary code as the 'lp' user if the file was printed. (CVE-2008-5286)

CUPS users should upgrade to these updated packages, which contain a backported patch to correct this issue.

The remote Oracle Linux 5 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2008-0498 advisory.

    [1.2.4-11.18:.1]
    - Applied patch to fix CVE-2008-1722 (integer overflow in image filter,       bug #441692, STR #2790).

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An integer overflow flaw leading to a heap buffer overflow was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image converting filters 'imagetops' and 'imagetoraster'. An attacker could create a malicious PNG file that could possibly execute arbitrary code as the 'lp' user if the file was printed. (CVE-2008-1722)

It was discovered that the SGI image filter in CUPS did not perform proper bounds checking. If a user or automated system were tricked into opening a crafted SGI image, an attacker could cause a denial of service. (CVE-2008-3639)

It was discovered that the texttops filter in CUPS did not properly validate page metrics. If a user or automated system were tricked into opening a crafted text file, an attacker could cause a denial of service. (CVE-2008-3640)

It was discovered that the HP-GL filter in CUPS did not properly check for invalid pen parameters. If a user or automated system were tricked into opening a crafted HP-GL or HP-GL/2 file, a remote attacker could cause a denial of service or execute arbitrary code with user privileges. In Ubuntu 7.10 and 8.04 LTS, attackers would be isolated by the AppArmor CUPS profile. (CVE-2008-3641)

NOTE: The previous update for CUPS on Ubuntu 6.06 LTS did not have the the fix for CVE-2008-1722 applied. This update includes fixes for the problem. We apologize for the inconvenience.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Thomas Pollet discovered an integer overflow vulnerability in the PNG image handling filter in CUPS. This could allow a malicious user to execute arbitrary code with the privileges of the user running CUPS, or cause a denial of service by sending a specially crafted PNG image to the print server (CVE-2008-1722).

The updated packages have been patched to correct this issue.

Updated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Common UNIX(r) Printing System (CUPS) provides a portable printing layer for UNIX operating systems.

An integer overflow flaw, leading to a heap buffer overflow, was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image-converting filters, 'imagetops' and 'imagetoraster'. An attacker could create a malicious PNG file that could, potentially, execute arbitrary code as the 'lp' user if the file was printed. (CVE-2008-5286)

CUPS users should upgrade to these updated packages, which contain a backported patch to correct this issue.

Several remote vulnerabilities have been discovered in the Common Unix Printing System (CUPS). The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-0053     Buffer overflows in the HP-GL input filter allowed to     possibly run arbitrary code through crafted HP-GL files.

  - CVE-2008-1373     Buffer overflow in the GIF filter allowed to possibly     run arbitrary code through crafted GIF files.

  - CVE-2008-1722     Integer overflows in the PNG filter allowed to possibly     run arbitrary code through crafted PNG files.

According to its banner, the version of CUPS installed on the remote host is affected by an integer overflow.  Using a specially crafted PNG file with overly long width and height fields, a remote attacker can leverage this issue to crash the affected service and may allow execution of arbitrary code.

According to its banner, the version of CUPS installed on the remote host is affected by an integer overflow. Using a specially crafted PNG file with overly long width and height fields, a remote attacker can leverage this issue to crash the affected service and may allow execution of arbitrary code.

Updated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 3, Red Hat Enterprise Linux 4, and Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.

An integer overflow flaw leading to a heap buffer overflow was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image converting filters 'imagetops' and 'imagetoraster'. An attacker could create a malicious PNG file that could possibly execute arbitrary code as the 'lp' user if the file was printed. (CVE-2008-1722)

All CUPS users are advised to upgrade to these updated packages, which contain backported patch to resolve this issue.

- Fri May 9 2008 Tim Waugh <twaugh at redhat.com>     1:1.3.7-2

    - Applied patch to fix CVE-2008-1722 (integer overflow       in image filter, bug #441692, STR #2790).

  - Thu Apr 3 2008 Tim Waugh <twaugh at redhat.com>

    - Main package requires exactly-matching libs package.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fri May 9 2008 Tim Waugh <twaugh at redhat.com>     1:1.3.7-2

    - Applied patch to fix CVE-2008-1722 (integer overflow       in image filter, bug #441692, STR #2790).

  - Fri May 2 2008 Tim Waugh <twaugh at redhat.com>

    - Include the hostname in the charset error (part of bug       #441719).

    - Thu Apr 10 2008 Tim Waugh <twaugh at redhat.com>

    - Log an error when a client requests a charset other       than ASCII or UTF-8.

    - Thu Apr 3 2008 Tim Waugh <twaugh at redhat.com>

    - Main package requires exactly-matching libs package.

    - Wed Apr 2 2008 Tim Waugh <twaugh at redhat.com>       1:1.3.7-1

    - 1.3.7. No longer need str2715, str2727, or       CVE-2008-0047 patches.

    - Tue Apr 1 2008 Tim Waugh <twaugh at redhat.com>       1:1.3.6-4

    - Applied patch to fix CVE-2008-1373 (GIF overflow, bug       #438303).

    - Applied patch to prevent heap-based buffer overflow in       CUPS helper program (bug #436153, CVE-2008-0047, STR       #2729).

  - Thu Feb 28 2008 Tim Waugh <twaugh at redhat.com> 1.3.6-3

    - Apply upstream fix for Adobe JPEG files (bug #166460,       STR #2727).

    - Sat Feb 23 2008 Tim Waugh <twaugh at redhat.com>       1.3.6-2

    - Fix encoding of job-sheets option (bug #433753, STR       #2715).

    - Wed Feb 20 2008 Tim Waugh <twaugh at redhat.com>       1.3.6-1

    - 1.3.6. No longer need str2650, str2664, or str2703       patches.

    - Tue Feb 12 2008 Tim Waugh <twaugh at redhat.com>       1.3.5-3

    - Fixed admin.cgi handling of DefaultAuthType (bug       #432478, STR #2703).

    - Mon Jan 21 2008 Tim Waugh <twaugh at redhat.com>       1.3.5-2

    - Rebuilt.

    - Thu Jan 10 2008 Tim Waugh <twaugh at redhat.com>

    - Apply patch to fix busy looping in the backends (bug       #426653, STR #2664).

    - Wed Jan 9 2008 Tim Waugh <twaugh at redhat.com>

    - Apply patch to prevent overlong PPD lines from causing       failures except in strict mode (bug #405061). Needed       for compatibility with older versions of foomatic       (e.g. Red Hat Enterprise Linux 3/4).

  - Applied upstream patch to fix cupsctl --remote-any (bug     #421411, STR #2650).

    - Thu Jan 3 2008 Tim Waugh <twaugh at redhat.com>       1.3.5-1

    - 1.3.5. No longer need str2600, CVE-2007-4352,5392,5393       patches.

    - Efficiency fix for pstoraster (bug #416871).

    - Fri Nov 30 2007 Tim Waugh <twaugh at redhat.com>

    - CVE-2007-4045 patch is not necessarily because       cupsd_client_t objects are not moved in array       operations, only pointers to them.

  - Tue Nov 27 2007 Tim Waugh <twaugh at redhat.com>

    - Updated to improved dnssd backend from Till Kamppeter.

    - Don't undo the util.c parts of STR #2537.

    - Tue Nov 20 2007 Tim Waugh <twaugh at redhat.com>       1:1.3.4-4

    - Added fix for STR #2600 in which cupsd can crash from       a NULL dereference with LogLevel debug2 (bug #385631).

  - Mon Nov 12 2007 Tim Waugh <twaugh at redhat.com>     1:1.3.4-3

    - Fixed CVE-2007-4045 patch; has no effect with shipped       packages since they are linked with gnutls.

  - Temporarily undo STR #2537 change so that non-UTF-8     requests are not rejected (bug #378211).

  - LSPP cupsdSetString/ClearString fixes (bug #378451).

[plus 6 lines in the Changelog]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fri May 9 2008 Tim Waugh <twaugh at redhat.com>     1:1.2.12-11

    - Applied patch to fix CVE-2008-1722 (integer overflow       in image filter, bug #441692, STR #2790).

  - Tue Apr 1 2008 Tim Waugh <twaugh at redhat.com>     1:1.2.12-10

    - Applied patch to fix CVE-2008-1373 (GIF overflow, bug       #438303).

    - Applied patch to fix CVE-2008-0053 (HP-GL/2 input       processing, bug #438117).

    - Applied patch to prevent heap-based buffer overflow in       CUPS helper program (bug #436153, CVE-2008-0047, STR       #2729).

  - Fri Feb 22 2008 Tim Waugh <twaugh at redhat.com>     1:1.2.12-9

    - Prevent double-free when a browsed class has the same       name as a printer or vice versa (CVE-2008-0882, bug       #433758, STR #2656).

  - Mon Nov 12 2007 Tim Waugh <twaugh at redhat.com>     1:1.2.12-8

    - Fixed CVE-2007-4045 patch; has no effect with shipped       packages since they are linked with gnutls.

  - LSPP fixes (cupsdSetString/ClearString).

    - Wed Nov 7 2007 Tim Waugh <twaugh at redhat.com>       1:1.2.12-7

    - Applied patch to fix CVE-2007-4045 (bug #250161).

    - Applied patch to fix CVE-2007-4352, CVE-2007-5392 and       CVE-2007-5393 (bug #345101).

  - Thu Nov 1 2007 Tim Waugh <twaugh at redhat.com>     1:1.2.12-6

    - Applied patch to fix CVE-2007-4351 (STR #2561, bug       #361661).

    - Wed Oct 10 2007 Tim Waugh <twaugh at redhat.com>       1:1.2.12-5

    - Use ppdev for parallel port Device ID retrieval (bug       #311671).

    - Thu Aug 9 2007 Tim Waugh <twaugh at redhat.com>       1:1.2.12-4

    - Applied patch to fix CVE-2007-3387 (bug #251518).

    - Tue Jul 31 2007 Tim Waugh <twaugh at redhat.com>       1:1.2.12-3

    - Better buildroot tag.

    - Moved LSPP access check and security attributes check       in add_job() to before allocation of the job structure       (bug #231522).

  - Mon Jul 23 2007 Tim Waugh <twaugh at redhat.com>     1:1.2.12-2

    - Use kernel support for USB paper-out detection, when       available (bug #249213).

  - Fri Jul 13 2007 Tim Waugh <twaugh at redhat.com>     1:1.2.12-1

    - 1.2.12. No longer need adminutil or str2408 patches.

    - Wed Jul 4 2007 Tim Waugh <twaugh at redhat.com>       1:1.2.11-3

    - Better paper-out detection patch still (bug #246222).

    - Fri Jun 29 2007 Tim Waugh <twaugh at redhat.com>       1:1.2.11-2

    - Applied patch to fix group handling in PPDs (bug       #186231, STR #2408).

    - Wed Jun 27 2007 Tim Waugh <twaugh at redhat.com>       1:1.2.11-1

    - Fixed permissions on classes.conf in the file manifest       (bug #245748).

    - 1.2.11.

    - Tue Jun 12 2007 Tim Waugh <twaugh at redhat.com>

    - Make the initscript use start priority 56 (bug       #213828).

    - Mon Jun 11 2007 Tim Waugh <twaugh at redhat.com>       1:1.2.10-12

    - Better paper-out detection patch (bug #241589).

    - Mon May 21 2007 Tim Waugh <twaugh at redhat.com>       1:1.2.10-11

    - Fixed _cupsAdminSetServerSettings() sharing/shared       handling (bug #238057).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Thomas Pollet discovered that CUPS did not properly validate the size of PNG images. A local attacker, and a remote attacker if printer sharing is enabled, could send a crafted file and cause a denial of service or possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS and 7.04. In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile. (CVE-2008-1722).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200804-23 (CUPS: Integer overflow vulnerability)

    Thomas Pollet reported a possible integer overflow vulnerability in the     PNG image handling in the file filter/image-png.c.
  Impact :

    A malicious user might be able to execute arbitrary code with the     privileges of the user running CUPS (usually lp), or cause a Denial of     Service by sending a specially crafted PNG image to the print server.
    The vulnerability is exploitable via the network if CUPS is sharing     printers remotely.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
67775	Oracle Linux 3 : cups (ELSA-2008-1028)	Nessus	Oracle Linux Local Security Checks	high
67699	Oracle Linux 5 : cups (ELSA-2008-0498)	Nessus	Oracle Linux Local Security Checks	medium
60415	Scientific Linux Security Update : cups on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
37836	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : cupsys vulnerabilities (USN-656-1)	Nessus	Ubuntu Local Security Checks	critical
36759	Mandriva Linux Security Advisory : cups (MDVSA-2008:170)	Nessus	Mandriva Local Security Checks	medium
35182	RHEL 3 : cups (RHSA-2008:1028)	Nessus	Red Hat Local Security Checks	high
35173	CentOS 3 : cups (CESA-2008:1028)	Nessus	CentOS Local Security Checks	high
33774	Debian DSA-1625-1 : cupsys - buffer overflows	Nessus	Debian Local Security Checks	critical
4610	CUPS < 1.3.8 Crafted PNG File Integer Overflow	Nessus Network Monitor	Web Servers	medium
33577	CUPS < 1.3.8 PNG File Handling Multiple Overflows	Nessus	Misc.	high
33109	CentOS 3 / 4 / 5 : cups (CESA-2008:0498)	Nessus	CentOS Local Security Checks	medium
33096	RHEL 3 / 4 / 5 : cups (RHSA-2008:0498)	Nessus	Red Hat Local Security Checks	medium
32331	Fedora 9 : cups-1.3.7-2.fc9 (2008-3756)	Nessus	Fedora Local Security Checks	medium
32207	Fedora 8 : cups-1.3.7-2.fc8 (2008-3586)	Nessus	Fedora Local Security Checks	medium
32197	Fedora 7 : cups-1.2.12-11.fc7 (2008-3449)	Nessus	Fedora Local Security Checks	medium
32186	Ubuntu 6.06 LTS / 7.04 / 7.10 : cupsys vulnerability (USN-606-1)	Nessus	Ubuntu Local Security Checks	medium
32016	GLSA-200804-23 : CUPS: Integer overflow vulnerability	Nessus	Gentoo Local Security Checks	medium

Detections

Analytics

CVE-2008-1722

medium

Tenable Plugins

high

medium

medium

critical

medium

high

high

critical

medium

high

medium

medium

medium

medium

medium

medium

medium