Bug 937018 - (CVE-2015-3279) VUL-0: CVE-2015-3279: cups-filters: texttopdf integer overflow (incomplete fix for CVE-2015-3258)
(CVE-2015-3279)
VUL-0: CVE-2015-3279: cups-filters: texttopdf integer overflow (incomplete f...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/118375/
CVSSv2:NVD:CVE-2015-3279:7.5:(AV:N/A...
:
Depends on:
Blocks: CVE-2015-3258
  Show dependency treegraph
 
Reported: 2015-07-03 12:18 UTC by Andreas Stieger
Modified: 2019-05-01 16:48 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-07-03 12:18:54 UTC
Via RH:

> An integer overflow flaw leading to a heap-based buffer overflow was
> discovered in the way the texttopdf utility of cups-filter processed
> print jobs with a specially crafted line size. An attacker being able
> to submit print jobs could exploit this flaw to crash texttopdf or,
> possibly, execute arbitrary code with the privileges of the 'lp' user.
> 
> Patch:
> http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7365

But:

> Comment in
> http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7365
> claims it's CVE-2015-3259 (not 3279).

SLE 12:        cups-filters 1.0.58 /usr/lib/cups/filter/texttopdf
openSUSE 13.2: cups-filters 1.0.58 /usr/lib/cups/filter/texttopdf

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1238990
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3279
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3279.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3279
Comment 1 Andreas Stieger 2015-07-03 12:33:33 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1238990#c1

> Comment in
> http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7365
> claims it's CVE-2015-3259 (not 3279).

There seems to be some confusion about the CVE for this one, might be a dup of bug 936281 / bug CVE-2015-3258. 
CVE-2015-3259 may be a duplicate assignment.

We also bug 921753 and bug 936281 outstanding, so I am expecting to start an update soon once this is clarified.
Comment 2 Andreas Stieger 2015-07-03 12:49:02 UTC
oss-sec:

> Even with the patch for CVE-2015-3258 in version 1.0.70 it was possible
> to trigger an integer overflow leading to a heap-based buffer overflow
> using the same vector (specially crafted line sizes).
> 
> The integer overflow has been assigned CVE-2015-3279 and is fixed in
> version 1.0.71. Apart from that, the patch also hardens against
> possible crashes due to missing calloc() success checks.
> 
> Patch:
> http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7365
> 
> Red Hat bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1238990
Comment 3 Swamp Workflow Management 2015-07-03 22:00:15 UTC
bugbot adjusting priority
Comment 6 Johannes Meixner 2015-07-06 12:33:37 UTC
Fixed for openSUSE 13.2, see
https://bugzilla.suse.com/show_bug.cgi?id=921753#c14

Fixed for openSUSE:Factory via version upgrade to cups-filters 1.0.71
in OBS "Printing" project via submitrequest 315193 that is
forwarded to openSUSE:Factory via submitrequest 315194
Comment 7 Johannes Meixner 2015-07-06 12:36:12 UTC
For further processig for the maintenance update
I re-asssign it to our security team.
Comment 8 Bernhard Wiedemann 2015-07-06 13:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (937018) was mentioned in
https://build.opensuse.org/request/show/315210 13.2 / cups-filters
Comment 9 Andreas Stieger 2015-07-06 14:36:39 UTC
Thanks, we'll handle the submissions.
Comment 10 Swamp Workflow Management 2015-07-14 16:16:26 UTC
openSUSE-SU-2015:1244-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 921753,936281,937018
CVE References: CVE-2015-2265,CVE-2015-3258,CVE-2015-3279
Sources used:
openSUSE 13.2 (src):    cups-filters-1.0.58-2.7.1
Comment 11 Swamp Workflow Management 2015-08-13 11:09:52 UTC
SUSE-SU-2015:1377-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 936281,937018
CVE References: CVE-2015-3258,CVE-2015-3279
Sources used:
SUSE Linux Enterprise Server 12 (src):    cups-filters-1.0.58-8.1
SUSE Linux Enterprise Desktop 12 (src):    cups-filters-1.0.58-8.1
Comment 12 Marcus Meissner 2015-12-08 14:11:39 UTC
released