Bug 917799 – VUL-0: CVE-2014-9679: cups: A malformed compressed raster file can trigger a buffer overflow in cupsRasterReadPixels

Bug 917799 - (CVE-2014-9679) VUL-0: CVE-2014-9679: cups: A malformed compressed raster file can trigger a buffer overflow in cupsRasterReadPixels

(CVE-2014-9679)
Summary:	VUL-0: CVE-2014-9679: cups: A malformed compressed raster file can trigger a ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	All SUSE Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/113853/
Whiteboard:	maint:released:sle11-sp1:60913 maint...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-02-13 12:01 UTC by Johannes Segitz
Modified:	2015-03-23 21:05 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
testraster.c to reproduce the issue (improved https://www.cups.org/strfiles.php/3428/testraster.c) (851 bytes, text/plain) 2015-02-17 13:03 UTC, Johannes Meixner	Details
modified testraster.c to reproduce the issue on SLE10 (849 bytes, text/plain) 2015-02-18 11:25 UTC, Johannes Meixner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-02-13 12:01:56 UTC

CVE-2015-9679

https://www.cups.org/str.php?L4551

A malformed compressed raster file can trigger a buffer overflow in cupsRasterReadPixels. This is issue was found while testing my brlaser printer driver using american fuzzy lop.

Fix: https://www.cups.org/strfiles.php/3438/str4551.patch.

SLE 11 and up seem to be affected. Can you please check SLE 10 SP3?

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9679
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-9679.html

Comment 1 Swamp Workflow Management 2015-02-13 23:00:24 UTC

bugbot adjusting priority

Comment 2 Johannes Segitz 2015-02-15 13:33:14 UTC

This is CVE-2014-9679, not CVE-2015-9679
               ^                  ^

Comment 3 Johannes Meixner 2015-02-17 13:03:17 UTC

Created attachment 623543 [details]
testraster.c to reproduce the issue (improved https://www.cups.org/strfiles.php/3428/testraster.c)

To compile it you need cups-devel (and cups-libs) RPMs, then run

# gcc -lcupsimage -o testraster testraster.c


To see the segfault, download
https://www.cups.org/strfiles.php/3429/bogus.raster.gz
and unzip it into "bogus.raster" and then run

# ./testraster <bogus.raster >testraster.out

and you will get something like:
---------------------------------------------------------------------
cupsRasterReadPixels break
*** glibc detected *** ./testraster: munmap_chunk():
 invalid pointer: 0x0000000000602ab0 ***
...
Aborted
---------------------------------------------------------------------

Comment 4 Johannes Meixner 2015-02-17 13:05:20 UTC

Fixed CUPS for SLE11 is in IBS
project home:jsmeix:branches:SUSE:SLE-11:Update:Test
package cups.SUSE_SLE-11_Update_Test

With that you will get:
----------------------------------------------------------------------------
# ./testraster <bogus.raster >testraster.out
cupsRasterReadHeader failed
----------------------------------------------------------------------------

Comment 5 Johannes Meixner 2015-02-17 13:10:07 UTC

Maintenance team:

I cannot submit the fixed CUPS for SLE11 in IBS
project home:jsmeix:branches:SUSE:SLE-11:Update:Test
package cups.SUSE_SLE-11_Update_Test

What I did:
----------------------------------------------------------------------------
$ isc branch -M SUSE:SLE-11:Update cups

[fixed via added str4551.CVE-2014-9679.CUPS-1.3.9.patch]

$ isc maintenancerequest home:jsmeix:branches:SUSE:SLE-11:Update:Test \
 cups.SUSE_SLE-11_Update_Test SUSE:SLE-11:Update:Test

Using target project 'SUSE:Maintenance'
Server returned an error: HTTP Error 400: Bad Request
Maintenance incident request contains release target project SUSE:SLE-11:Update:Test with invalid project kind "standard" for package cups.SUSE_SLE-11_Update_Test

$ rpm -q osc
osc-0.150.1-157.1
----------------------------------------------------------------------------

Comment 6 Johannes Meixner 2015-02-17 13:33:15 UTC

Fixed CUPS for SLE12 is in IBS
project home:jsmeix:branches:SUSE:SLE-12:Update
package cups.SUSE_SLE-12_Update
and submitted it:
-----------------------------------------------------------------------------
$ isc maintenancerequest home:jsmeix:branches:SUSE:SLE-12:Update \
 cups.SUSE_SLE-12_Update SUSE:SLE-12:Update
Using target project 'SUSE:Maintenance'
51720
-----------------------------------------------------------------------------

Comment 7 Johannes Meixner 2015-02-17 15:10:15 UTC

Fixed CUPS for openSUSE 13.2 in OBS
project home:jsmeix:branches:openSUSE:13.2:Update
source package cups.openSUSE_13.2_Update
and submitted it:
-----------------------------------------------------------------------------
$ osc maintenancerequest home:jsmeix:branches:openSUSE:13.2:Update \
 cups.openSUSE_13.2_Update openSUSE:13.2:Update
Using target project 'openSUSE:Maintenance'
286514
-----------------------------------------------------------------------------

Comment 8 Johannes Meixner 2015-02-17 15:35:19 UTC

Fixed CUPS for openSUSE 13.1 in OBS
project home:jsmeix:branches:openSUSE:13.1:Update
source package cups.openSUSE_13.1_Update
and submitted it:
-----------------------------------------------------------------------------
$ osc maintenancerequest home:jsmeix:branches:openSUSE:13.1:Update \
 cups.openSUSE_13.1_Update openSUSE:13.1:Update
Using target project 'openSUSE:Maintenance'
286515
-----------------------------------------------------------------------------

Comment 9 Bernhard Wiedemann 2015-02-17 16:00:08 UTC

This is an autogenerated message for OBS integration:
This bug (917799) was mentioned in
https://build.opensuse.org/request/show/286514 13.2 / cups
https://build.opensuse.org/request/show/286515 13.1 / cups

Comment 10 Johannes Meixner 2015-02-18 08:54:15 UTC

maint-coord@suse.de see
https://bugzilla.opensuse.org/show_bug.cgi?id=917799#c5

Comment 11 Marcus Meissner 2015-02-18 09:49:50 UTC

just reassign security bugs back to security-team

Comment 12 Marcus Meissner 2015-02-18 09:51:15 UTC

Ah , for comment #c5

do not use mbranch or maintenancerequest for SLES 11.

cd home:jsmeix:branches:SUSE:SLE-11:Update:Test/cups.SUSE_SLE-11_Update_Test SUSE:SLE-11:Update:Test

osci sr SUSE:SLE-11:Update:Test cups

Comment 13 Johannes Meixner 2015-02-18 10:26:07 UTC

Marcus,
many thanks for the information!
The server's returned error message mislead me.
I thought there is some issue in the build service.

Now I submitted the fixed CUPS for SLE11 in IBS
project home:jsmeix:branches:SUSE:SLE-11:Update:Test
source package cups.SUSE_SLE-11_Update_Test
to SUSE:SLE-11:Update:Test/cups
via IBS submitrequest 51768

Comment 14 Swamp Workflow Management 2015-02-18 11:10:57 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-04.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60708

Comment 15 Johannes Segitz 2015-02-18 11:12:37 UTC

Thank you for the submits. Can you please check if SLE 10 SP3 is vulnerable?

Comment 16 Johannes Meixner 2015-02-18 11:21:23 UTC

Of course I check if SLE10 is vulnerable
but the filter/raster.c soucre is there somewhat different
so that I need a bit more time for SLE10.

At least CUPS in SLE10-SP3 is not in the same way vulnerable
because there is no crash:
------------------------------------------------------------------------
# ./testraster <bogus.raster.gz >testraster.out
cupsRasterOpen failed
------------------------------------------------------------------------

Or is it already a sufficient check that SLE10-SP3 is not vulnerable
when it does not crash with CUPS in SLE10-SP3?

Comment 17 Johannes Meixner 2015-02-18 11:25:31 UTC

Created attachment 623671 [details]
modified testraster.c to reproduce the issue on SLE10

CUPS on SLE10 does not provide cups_page_header2_t or cupsRasterReadHeader2
so that for SLE10 a modified testraster.c is needed:
----------------------------------------------------------------------------
--- testraster.c   2015-02-17 13:56:00.000000000 +0100
+++ testraster.sle10.c     2015-02-18 12:22:12.000000000 +0100
@@ -6,7 +6,7 @@
 int main()
 {
   cups_raster_t *raster;
-  cups_page_header2_t header;
+  cups_page_header_t header;
   unsigned char *buf;
   unsigned line, r;
 
@@ -16,7 +16,7 @@ int main()
     return 1;
   }
 
-  r = cupsRasterReadHeader2(raster, &header);
+  r = cupsRasterReadHeader(raster, &header);
   if (!r)
   { fprintf ( stderr, "cupsRasterReadHeader failed\n" );
     return 1;
----------------------------------------------------------------------------

Comment 18 Johannes Meixner 2015-02-23 09:33:18 UTC

Fixed CUPS 1.5.4 for the SLE12 "legacy" module in IBS
project home:jsmeix:branches:SUSE:SLE-12:Update
package cups154.SUSE_SLE-12_Update
and submitted it:
-----------------------------------------------------------------------------
$ isc maintenancerequest home:jsmeix:branches:SUSE:SLE-12:Update \
 cups154.SUSE_SLE-12_Update SUSE:SLE-12:Update
Using target project 'SUSE:Maintenance'
52050
-----------------------------------------------------------------------------

Comment 20 Johannes Segitz 2015-02-25 09:12:39 UTC

(In reply to Johannes Meixner from comment #16)
As discussed this is sufficient. SLE 10 doesn't need the fix. So we take this from here on. Thank you for the submits.

Comment 21 Swamp Workflow Management 2015-02-26 08:05:03 UTC

openSUSE-SU-2015:0381-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 917799
CVE References: CVE-2014-9679
Sources used:
openSUSE 13.2 (src):    cups-1.5.4-21.6.1
openSUSE 13.1 (src):    cups-1.5.4-12.17.1

Comment 22 Swamp Workflow Management 2015-03-11 10:05:21 UTC

SUSE-SU-2015:0465-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 917799
CVE References: CVE-2014-9679
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    cups-1.7.5-5.1
SUSE Linux Enterprise Server 12 (src):    cups-1.7.5-5.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    cups154-1.5.4-5.1
SUSE Linux Enterprise Desktop 12 (src):    cups-1.7.5-5.1
SUSE Linux Enterprise Build System Kit 12 (src):    cups-1.7.5-5.1

Comment 23 Swamp Workflow Management 2015-03-11 11:06:31 UTC

SUSE-SU-2015:0465-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 917799
CVE References: CVE-2014-9679
Sources used:
SUSE Linux Enterprise Build System Kit 12 (src):    cups-1.7.5-5.1

Comment 24 Marcus Meissner 2015-03-23 11:53:50 UTC

released

Comment 25 Swamp Workflow Management 2015-03-23 21:05:18 UTC

SUSE-SU-2015:0575-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 917799
CVE References: CVE-2014-9679
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    cups-1.3.9-8.46.54.2
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    cups-1.3.9-8.46.54.2
SUSE Linux Enterprise Server 11 SP3 (src):    cups-1.3.9-8.46.54.2
SUSE Linux Enterprise Desktop 11 SP3 (src):    cups-1.3.9-8.46.54.2