Bug 936281 (CVE-2015-3258) - VUL-0: CVE-2015-3258: cups-filters: texttopdf heap-based buffer overflow
Summary: VUL-0: CVE-2015-3258: cups-filters: texttopdf heap-based buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2015-3258
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/118051/
Whiteboard:
Keywords:
Depends on: CVE-2015-3279
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-26 19:00 UTC by Marcus Meissner
Modified: 2016-04-27 19:41 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-06-26 19:00:30 UTC 
http://seclists.org/oss-sec/2015/q2/809

From: Stefan Cornelius <scorneli () redhat com>
Date: Fri, 26 Jun 2015 18:43:26 +0200

Hi,

A heap-based buffer overflow was discovered in the way the texttopdf
utility of cups-filters processed print jobs with a specially crafted
line size. An attacker being able to submit print jobs could exploit
this flaw to crash texttopdf or, possibly, execute arbitrary code.

This was discovered by Petr Sklenar of Red Hat.

This is fixed in cups-filters 1.0.70.

Patch:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7363

Minor note on the side: The commit thanks me for the patch. The patch
was created by Tim Waugh of Red Hat, I've merely forwarded it.

Red Hat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1235385

Thanks,
Comment 1 Marcus Meissner 2015-06-26 20:35:39 UTC 
Hi again,

I think there's a possible problem with the patch that I failed to catch
earlier in the process, so you may want to hold packaging for a bit
until this is fully investigated.

Sorry for the inconvenience.
-- 
Stefan Cornelius / Red Hat Product Security
Comment 2 Swamp Workflow Management 2015-06-26 22:00:42 UTC 
bugbot adjusting priority
Comment 3 Johannes Meixner 2015-06-29 10:18:48 UTC 
For now I did a cups-filters version upgrade to 1.0.70
(that contains at least one kind of a fix for CVE-2015-3258)
in the OBS "Printing" project via submitrequest 314348
but it is not yet forwarded to openSUSE:Factory.

I will wait submitting package updates for released products
until the issue in comment#1 is clarified.
Comment 4 Johannes Meixner 2015-06-30 07:02:21 UTC 
Marcus Meissner,
why do you mention "cups" in the bug's subject?
How is CUPS affected?
Comment 5 Marcus Meissner 2015-06-30 08:33:10 UTC 
I was under the impression that cups-filters was split off from earlier cups versions.

It seems older versions of cups do not include texttopdf, so close.
Comment 6 Johannes Meixner 2015-06-30 09:25:55 UTC 
Only FYI:

The big difference is up to CUPS 1.5.4 (I call that "traditional" CUPS)
versus since CUPS 1.6 (for details see bug#735404).

Up to CUPS 1.5.4 PostScript was used as standard print job format.
Since CUPS 1.6 PDF is used as standard print job format, cf.
https://en.opensuse.org/Concepts_printing

Accordingly up to CUPS 1.5.4 there is only a "texttops" filter.

Since CUPS 1.6 all filters that are not needed by Apple's printing stack
have been removed from CUPS and are provided in the new and separated
"cups-filters" from the OpenPrinting workgroup of the Linux Foundation.

In particular cups-filters contains the new "texttopdf" filter
for the new PDF printing workflow.

In the end CUPS does not and never had a "texttopdf" filter.
Only cups-filters has it.
Comment 7 Andreas Stieger 2015-07-03 12:28:16 UTC 
Looks like there is an updated upstream change:

> CHANGES IN V1.0.71
>         - texttopdf: The Page allocation is moved into textcommon.c, where it
>           does all the necessary checking: lower-bounds for CVE-2015-3258 and
>           upper-bounds for CVE-2015-3259 due to integer overflows for the
>           calloc() call initialising Page[0] and the memset() call in
>           texttopdf.c's WritePage() function zeroing the entire array. Thanks
>           to Tim Waugh from Red Hat for the patch.
>         - texttopdf: Upper-bounds checking (CVE-2015-3259).

CVE-2015-3259 is most likely a typo as this is assigned to another (currently embargoed) issue for an unrelated package.
Comment 10 Johannes Meixner 2015-07-06 12:35:14 UTC 
Fixed for openSUSE 13.2, see
https://bugzilla.suse.com/show_bug.cgi?id=921753#c14

Fixed for openSUSE:Factory via version upgrade to cups-filters 1.0.71
in OBS "Printing" project via submitrequest 315193 that is
forwarded to openSUSE:Factory via submitrequest 315194
Comment 11 Johannes Meixner 2015-07-06 12:37:07 UTC 
For further processig for the maintenance update
I re-asssign it to our security team.
Comment 12 Bernhard Wiedemann 2015-07-06 13:00:17 UTC 
This is an autogenerated message for OBS integration:
This bug (936281) was mentioned in
https://build.opensuse.org/request/show/315210 13.2 / cups-filters
Comment 13 Andreas Stieger 2015-07-06 14:36:40 UTC 
Thanks, we'll handle the submissions.
Comment 14 Swamp Workflow Management 2015-07-14 16:16:15 UTC 
openSUSE-SU-2015:1244-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 921753,936281,937018
CVE References: CVE-2015-2265,CVE-2015-3258,CVE-2015-3279
Sources used:
openSUSE 13.2 (src):    cups-filters-1.0.58-2.7.1
Comment 15 Swamp Workflow Management 2015-08-13 11:09:39 UTC 
SUSE-SU-2015:1377-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 936281,937018
CVE References: CVE-2015-3258,CVE-2015-3279
Sources used:
SUSE Linux Enterprise Server 12 (src):    cups-filters-1.0.58-8.1
SUSE Linux Enterprise Desktop 12 (src):    cups-filters-1.0.58-8.1
Comment 16 Marcus Meissner 2015-12-08 14:11:52 UTC 
released