Ubuntu
cups package

FreezeException for cups (CVE-2009-0163)

Bug #361866 reported by Jamie Strandboge on 2009-04-15

258

Affects		Status	Importance	Assigned to	Milestone
	cups (Ubuntu)	Fix Released	Medium	Jamie Strandboge
	Jaunty	Fix Released	Medium	Jamie Strandboge

Bug Description

Binary package hint: cups

On 2009-04-16 a new CUPS version (1.3.10) will be released addressing CVE-2009-0163. Attached is the debdiff for what I plan to upload.

Please note that CVE-2009-0166, CVE-2009-0146, and CVE-2009-0147 do not affect Ubuntu because we use the system pdftops (will be fixed via separate update) and we are deferring CVE-2009-0164 due to a high potential of regression (it can be revisited once 1.3.10 is in Karmic).

Please consider all of these issues embargoed and therefore not public until 1.3.10 is released (April 16th, 2009).

Related branches

lp:~ubuntu-core-dev/cups/jaunty

CVE References

2009-0163

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-04-15:

Packages build and the built-in test suite passes. There are no ABI differences. I'll comment further when I'm finished with the qa-regression-testing testing.

Jamie Strandboge (jdstrand) on 2009-04-15

summary:

- FFe for cups (CVE-2009-0163)
+ FreezeException for cups (CVE-2009-0163)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-04-15:

cups_1.3.9-17ubuntu1.debdiff Edit (2.3 KiB, text/plain)

Revision history for this message

Martin Pitt (pitti) wrote on 2009-04-15:

For the record, I have heard about this about two weeks ago and uploaded Debian etch/lenny updates to the Debian security queue. The TIFF patch (which you fixed here) is trivial and obvious, so we should either get it into jaunty, or do a jaunty-security update immediately after.

I absolutely agree about not getting upstream 1.3.10 with the DNS rebinding patch, since this sounds dubious and regression prone.

Thanks for preparing the updates!

Jamie Strandboge (jdstrand) on 2009-04-15

Changed in cups (Ubuntu):
assignee:	nobody → jdstrand
importance:	Undecided → Medium
status:	New → Fix Committed
status:	Fix Committed → In Progress

Jamie Strandboge (jdstrand) on 2009-04-16

visibility:

private → public

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-04-16:

I uploaded this a few minutes ago, and it is waiting for approval.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-04-17:

This bug was fixed in the package cups - 1.3.9-17ubuntu1

---------------
cups (1.3.9-17ubuntu1) jaunty; urgency=low

  * SECURITY UPDATE: fix integer overflow via large TIFF file (LP: #361866)
    - debian/patches/CVE-2009-0163.dpatch: adjust CUPS_IMAGE_MAX_HEIGHT in
      filter/image-private.h
    - CVE-2009-0163

-- Jamie Strandboge <email address hidden> Wed, 15 Apr 2009 09:33:56 -0500

Changed in cups (Ubuntu Jaunty):
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

cups_1.3.9-17ubuntu1.debdiff Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntucups package

FreezeException for cups (CVE-2009-0163)

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
cups package