Bug 917799 - (CVE-2014-9679) VUL-0: CVE-2014-9679: cups: A malformed compressed raster file can trigger a buffer overflow in cupsRasterReadPixels
(CVE-2014-9679)
VUL-0: CVE-2014-9679: cups: A malformed compressed raster file can trigger a ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All SUSE Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/113853/
maint:released:sle11-sp1:60913 maint...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-13 12:01 UTC by Johannes Segitz
Modified: 2015-03-23 21:05 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
testraster.c to reproduce the issue (improved https://www.cups.org/strfiles.php/3428/testraster.c) (851 bytes, text/plain)
2015-02-17 13:03 UTC, Johannes Meixner
Details
modified testraster.c to reproduce the issue on SLE10 (849 bytes, text/plain)
2015-02-18 11:25 UTC, Johannes Meixner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-13 12:01:56 UTC
CVE-2015-9679

https://www.cups.org/str.php?L4551

A malformed compressed raster file can trigger a buffer overflow in cupsRasterReadPixels. This is issue was found while testing my brlaser printer driver using american fuzzy lop.

Fix: https://www.cups.org/strfiles.php/3438/str4551.patch.

SLE 11 and up seem to be affected. Can you please check SLE 10 SP3?

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9679
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-9679.html
Comment 1 Swamp Workflow Management 2015-02-13 23:00:24 UTC
bugbot adjusting priority
Comment 2 Johannes Segitz 2015-02-15 13:33:14 UTC
This is CVE-2014-9679, not CVE-2015-9679
               ^                  ^
Comment 3 Johannes Meixner 2015-02-17 13:03:17 UTC
Created attachment 623543 [details]
testraster.c to reproduce the issue (improved https://www.cups.org/strfiles.php/3428/testraster.c)

To compile it you need cups-devel (and cups-libs) RPMs, then run

# gcc -lcupsimage -o testraster testraster.c


To see the segfault, download
https://www.cups.org/strfiles.php/3429/bogus.raster.gz
and unzip it into "bogus.raster" and then run

# ./testraster <bogus.raster >testraster.out

and you will get something like:
---------------------------------------------------------------------
cupsRasterReadPixels break
*** glibc detected *** ./testraster: munmap_chunk():
 invalid pointer: 0x0000000000602ab0 ***
...
Aborted
---------------------------------------------------------------------
Comment 4 Johannes Meixner 2015-02-17 13:05:20 UTC
Fixed CUPS for SLE11 is in IBS
project home:jsmeix:branches:SUSE:SLE-11:Update:Test
package cups.SUSE_SLE-11_Update_Test

With that you will get:
----------------------------------------------------------------------------
# ./testraster <bogus.raster >testraster.out
cupsRasterReadHeader failed
----------------------------------------------------------------------------
Comment 5 Johannes Meixner 2015-02-17 13:10:07 UTC
Maintenance team:

I cannot submit the fixed CUPS for SLE11 in IBS
project home:jsmeix:branches:SUSE:SLE-11:Update:Test
package cups.SUSE_SLE-11_Update_Test

What I did:
----------------------------------------------------------------------------
$ isc branch -M SUSE:SLE-11:Update cups

[fixed via added str4551.CVE-2014-9679.CUPS-1.3.9.patch]

$ isc maintenancerequest home:jsmeix:branches:SUSE:SLE-11:Update:Test \
 cups.SUSE_SLE-11_Update_Test SUSE:SLE-11:Update:Test

Using target project 'SUSE:Maintenance'
Server returned an error: HTTP Error 400: Bad Request
Maintenance incident request contains release target project SUSE:SLE-11:Update:Test with invalid project kind "standard" for package cups.SUSE_SLE-11_Update_Test

$ rpm -q osc
osc-0.150.1-157.1
----------------------------------------------------------------------------
Comment 6 Johannes Meixner 2015-02-17 13:33:15 UTC
Fixed CUPS for SLE12 is in IBS
project home:jsmeix:branches:SUSE:SLE-12:Update
package cups.SUSE_SLE-12_Update
and submitted it:
-----------------------------------------------------------------------------
$ isc maintenancerequest home:jsmeix:branches:SUSE:SLE-12:Update \
 cups.SUSE_SLE-12_Update SUSE:SLE-12:Update
Using target project 'SUSE:Maintenance'
51720
-----------------------------------------------------------------------------
Comment 7 Johannes Meixner 2015-02-17 15:10:15 UTC
Fixed CUPS for openSUSE 13.2 in OBS
project home:jsmeix:branches:openSUSE:13.2:Update
source package cups.openSUSE_13.2_Update
and submitted it:
-----------------------------------------------------------------------------
$ osc maintenancerequest home:jsmeix:branches:openSUSE:13.2:Update \
 cups.openSUSE_13.2_Update openSUSE:13.2:Update
Using target project 'openSUSE:Maintenance'
286514
-----------------------------------------------------------------------------
Comment 8 Johannes Meixner 2015-02-17 15:35:19 UTC
Fixed CUPS for openSUSE 13.1 in OBS
project home:jsmeix:branches:openSUSE:13.1:Update
source package cups.openSUSE_13.1_Update
and submitted it:
-----------------------------------------------------------------------------
$ osc maintenancerequest home:jsmeix:branches:openSUSE:13.1:Update \
 cups.openSUSE_13.1_Update openSUSE:13.1:Update
Using target project 'openSUSE:Maintenance'
286515
-----------------------------------------------------------------------------
Comment 9 Bernhard Wiedemann 2015-02-17 16:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (917799) was mentioned in
https://build.opensuse.org/request/show/286514 13.2 / cups
https://build.opensuse.org/request/show/286515 13.1 / cups
Comment 11 Marcus Meissner 2015-02-18 09:49:50 UTC
just reassign security bugs back to security-team
Comment 12 Marcus Meissner 2015-02-18 09:51:15 UTC
Ah , for comment #c5

do not use mbranch or maintenancerequest for SLES 11.

cd home:jsmeix:branches:SUSE:SLE-11:Update:Test/cups.SUSE_SLE-11_Update_Test SUSE:SLE-11:Update:Test

osci sr SUSE:SLE-11:Update:Test cups
Comment 13 Johannes Meixner 2015-02-18 10:26:07 UTC
Marcus,
many thanks for the information!
The server's returned error message mislead me.
I thought there is some issue in the build service.

Now I submitted the fixed CUPS for SLE11 in IBS
project home:jsmeix:branches:SUSE:SLE-11:Update:Test
source package cups.SUSE_SLE-11_Update_Test
to SUSE:SLE-11:Update:Test/cups
via IBS submitrequest 51768
Comment 14 Swamp Workflow Management 2015-02-18 11:10:57 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-04.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60708
Comment 15 Johannes Segitz 2015-02-18 11:12:37 UTC
Thank you for the submits. Can you please check if SLE 10 SP3 is vulnerable?
Comment 16 Johannes Meixner 2015-02-18 11:21:23 UTC
Of course I check if SLE10 is vulnerable
but the filter/raster.c soucre is there somewhat different
so that I need a bit more time for SLE10.

At least CUPS in SLE10-SP3 is not in the same way vulnerable
because there is no crash:
------------------------------------------------------------------------
# ./testraster <bogus.raster.gz >testraster.out
cupsRasterOpen failed
------------------------------------------------------------------------

Or is it already a sufficient check that SLE10-SP3 is not vulnerable
when it does not crash with CUPS in SLE10-SP3?
Comment 17 Johannes Meixner 2015-02-18 11:25:31 UTC
Created attachment 623671 [details]
modified testraster.c to reproduce the issue on SLE10

CUPS on SLE10 does not provide cups_page_header2_t or cupsRasterReadHeader2
so that for SLE10 a modified testraster.c is needed:
----------------------------------------------------------------------------
--- testraster.c   2015-02-17 13:56:00.000000000 +0100
+++ testraster.sle10.c     2015-02-18 12:22:12.000000000 +0100
@@ -6,7 +6,7 @@
 int main()
 {
   cups_raster_t *raster;
-  cups_page_header2_t header;
+  cups_page_header_t header;
   unsigned char *buf;
   unsigned line, r;
 
@@ -16,7 +16,7 @@ int main()
     return 1;
   }
 
-  r = cupsRasterReadHeader2(raster, &header);
+  r = cupsRasterReadHeader(raster, &header);
   if (!r)
   { fprintf ( stderr, "cupsRasterReadHeader failed\n" );
     return 1;
----------------------------------------------------------------------------
Comment 18 Johannes Meixner 2015-02-23 09:33:18 UTC
Fixed CUPS 1.5.4 for the SLE12 "legacy" module in IBS
project home:jsmeix:branches:SUSE:SLE-12:Update
package cups154.SUSE_SLE-12_Update
and submitted it:
-----------------------------------------------------------------------------
$ isc maintenancerequest home:jsmeix:branches:SUSE:SLE-12:Update \
 cups154.SUSE_SLE-12_Update SUSE:SLE-12:Update
Using target project 'SUSE:Maintenance'
52050
-----------------------------------------------------------------------------
Comment 20 Johannes Segitz 2015-02-25 09:12:39 UTC
(In reply to Johannes Meixner from comment #16)
As discussed this is sufficient. SLE 10 doesn't need the fix. So we take this from here on. Thank you for the submits.
Comment 21 Swamp Workflow Management 2015-02-26 08:05:03 UTC
openSUSE-SU-2015:0381-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 917799
CVE References: CVE-2014-9679
Sources used:
openSUSE 13.2 (src):    cups-1.5.4-21.6.1
openSUSE 13.1 (src):    cups-1.5.4-12.17.1
Comment 22 Swamp Workflow Management 2015-03-11 10:05:21 UTC
SUSE-SU-2015:0465-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 917799
CVE References: CVE-2014-9679
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    cups-1.7.5-5.1
SUSE Linux Enterprise Server 12 (src):    cups-1.7.5-5.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    cups154-1.5.4-5.1
SUSE Linux Enterprise Desktop 12 (src):    cups-1.7.5-5.1
SUSE Linux Enterprise Build System Kit 12 (src):    cups-1.7.5-5.1
Comment 23 Swamp Workflow Management 2015-03-11 11:06:31 UTC
SUSE-SU-2015:0465-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 917799
CVE References: CVE-2014-9679
Sources used:
SUSE Linux Enterprise Build System Kit 12 (src):    cups-1.7.5-5.1
Comment 24 Marcus Meissner 2015-03-23 11:53:50 UTC
released
Comment 25 Swamp Workflow Management 2015-03-23 21:05:18 UTC
SUSE-SU-2015:0575-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 917799
CVE References: CVE-2014-9679
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    cups-1.3.9-8.46.54.2
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    cups-1.3.9-8.46.54.2
SUSE Linux Enterprise Server 11 SP3 (src):    cups-1.3.9-8.46.54.2
SUSE Linux Enterprise Desktop 11 SP3 (src):    cups-1.3.9-8.46.54.2