Debian Security Advisory

DSA-1656-1 cupsys -- several vulnerabilities

Date Reported:

20 Oct 2008

Affected Packages:

cupsys

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2008-3639, CVE-2008-3640, CVE-2008-3641.

More information:

Several local vulnerabilities have been discovered in the Common UNIX Printing System. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-3639
It was discovered that insufficient bounds checking in the SGI image filter may lead to the execution of arbitrary code.
CVE-2008-3640
It was discovered that an integer overflow in the Postscript conversion tool texttops may lead to the execution of arbitrary code.
CVE-2008-3641
It was discovered that insufficient bounds checking in the HPGL filter may lead to the execution of arbitrary code.

For the stable distribution (etch), these problems have been fixed in version 1.2.7-4etch5.

For the unstable distribution (sid) and the upcoming stable distribution (lenny), these problems have been fixed in version 1.3.8-1lenny2 of the source package cups.

We recommend that you upgrade your cupsys package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5.diff.gz; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5.dsc
Architecture-independent component:: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch5_all.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch5_all.deb
Alpha:: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch5_alpha.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch5_alpha.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch5_alpha.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch5_alpha.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5_alpha.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch5_alpha.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch5_alpha.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch5_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch5_amd64.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch5_amd64.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch5_amd64.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch5_amd64.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch5_amd64.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch5_amd64.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5_amd64.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch5_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch5_arm.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch5_arm.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch5_arm.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch5_arm.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch5_arm.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5_arm.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch5_arm.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch5_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch5_hppa.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch5_hppa.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5_hppa.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch5_hppa.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch5_hppa.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch5_hppa.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch5_hppa.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch5_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch5_i386.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch5_i386.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch5_i386.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5_i386.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch5_i386.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch5_i386.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch5_i386.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch5_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch5_ia64.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch5_ia64.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch5_ia64.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5_ia64.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch5_ia64.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch5_ia64.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch5_ia64.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch5_ia64.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch5_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch5_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch5_s390.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch5_s390.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch5_s390.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch5_s390.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5_s390.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch5_s390.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch5_s390.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch5_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch5_sparc.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch5_sparc.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch5_sparc.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch5_sparc.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch5_sparc.deb; http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch5_sparc.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch5_sparc.deb; http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch5_sparc.deb

MD5 checksums of the listed files are available in the original advisory.