Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Nov 2008 12:39:00 +0100
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
Cc: Eygene Ryabinkin <>, Michael Sweet <>,
Subject: Re: CVE request: cups - potential integer overflow
	in PNG image reader [was: CUPS DoS via RSS subscriptions]

Hello Steve and Eygene,

On Fri, 2008-11-21 at 07:23 -0800, Michael Sweet wrote:
> Eygene Ryabinkin wrote:
> > Steve, good day.
> > 
> > Thu, Nov 20, 2008 at 07:41:06PM -0500, Steven M. Christey wrote:
> >> I treated this as two CVEs, one for the CSRF-simplifying attack, and a
> >> separate one for the CUPS server crash (assuming that cupsd should not be
> >> crashable by non-root authenticated users).
> > 
> > Please note that as it was discuissed in thread started with
> >
> > even 1.3.9 is crashable by non-root authenticated users by adding
> > a big number of subscriptions (don't know about RSS ones, though
> > subscription for mailing upon job completion does its job).  But
> > I imagine that CVE-2008-5184 can't be used for 1.3.9, so remote
> > attack is not feasible.
> > 
> > I expect that the fix will go into 1.3.10:
> >
> > 

Eygene - Thanks for the post! Btw. this CHANGES-1.3.txt files also
mentions another security flaw, i.e incomplete fix for CVE-2008-1722:


- SECURITY: The PNG image reading code did not validate the
	  image size properly, leading to a potential buffer overflow
	  (STR #2974)


The relevant upstream cups BTS post together with patch attached is


This issue seems to be introduced by the fix for CVE-2008-1722, i.e:

Steve, could you please allocate a new CVE identifier for this one?

Thanks, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ