LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.

Recent Features

LWN.net Weekly Edition for May 15, 2008

Distributed bug tracking

A Talk with Fedora Project Leader Paul Frields

LWN.net Weekly Edition for May 8, 2008

Blizzard tests the reach of copyright law

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Fedora alert FEDORA-2008-2131 (cups)



From:
    	      updates@fedoraproject.org


To:
    	      fedora-package-announce@redhat.com


Subject:
    	      [SECURITY] Fedora 8 Update: cups-1.3.6-4.fc8


Date:
    	      Wed, 09 Apr 2008 05:13:24 +0000


Message-ID:
    	      <200804090522.m395LSqG032038@bastion.fedora.phx.redhat.com>


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-2131
2008-04-08 23:35:45
--------------------------------------------------------------------------------

Name        : cups
Product     : Fedora 8
Version     : 1.3.6
Release     : 4.fc8
URL         : http://www.cups.org/
Summary     : Common Unix Printing System
Description :
The Common UNIX Printing System provides a portable printing layer for
UNIX? operating systems. It has been developed by Easy Software Products
to promote a standard printing solution for all UNIX vendors and users.
CUPS provides the System V and Berkeley command-line interfaces.

--------------------------------------------------------------------------------
Update Information:

Two security issues have been fixed in this update:    * A buffer overflow when
processing GIF files  * A heap-based overflow in a CUPS helper program, used for
searching documentation    This update also fixes a problem with processing some
JPEG files.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr  1 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.6-4
- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303).
- Applied patch to prevent heap-based buffer overflow in CUPS helper
  program (bug #436153, CVE-2008-0047, STR #2729).
* Thu Feb 28 2008 Tim Waugh <twaugh@redhat.com> 1.3.6-3
- Apply upstream fix for Adobe JPEG files (bug #166460, STR #2727).
* Sat Feb 23 2008 Tim Waugh <twaugh@redhat.com> 1.3.6-2
- Fix encoding of job-sheets option (bug #433753, STR #2715).
* Wed Feb 20 2008 Tim Waugh <twaugh@redhat.com> 1.3.6-1
- 1.3.6.  No longer need str2650, str2664, or str2703 patches.
* Tue Feb 12 2008 Tim Waugh <twaugh@redhat.com> 1.3.5-3
- Fixed admin.cgi handling of DefaultAuthType (bug #432478, STR #2703).
* Mon Jan 21 2008 Tim Waugh <twaugh@redhat.com> 1.3.5-2
- Rebuilt.
* Thu Jan 10 2008 Tim Waugh <twaugh@redhat.com>
- Apply patch to fix busy looping in the backends (bug #426653, STR #2664).
* Wed Jan  9 2008 Tim Waugh <twaugh@redhat.com>
- Apply patch to prevent overlong PPD lines from causing failures except
  in strict mode (bug #405061).  Needed for compatibility with older
  versions of foomatic (e.g. Red Hat Enterprise Linux 3/4).
- Applied upstream patch to fix cupsctl --remote-any (bug #421411, STR #2650).
* Thu Jan  3 2008 Tim Waugh <twaugh@redhat.com> 1.3.5-1
- 1.3.5.  No longer need str2600, CVE-2007-4352,5392,5393 patches.
- Efficiency fix for pstoraster (bug #416871).
* Fri Nov 30 2007 Tim Waugh <twaugh@redhat.com>
- CVE-2007-4045 patch is not necessarily because cupsd_client_t objects are
  not moved in array operations, only pointers to them.
* Tue Nov 27 2007 Tim Waugh <twaugh@redhat.com>
- Updated to improved dnssd backend from Till Kamppeter.
- Don't undo the util.c parts of STR #2537.
* Tue Nov 20 2007 Tim Waugh <twaugh@redhat.com> 1:1.3.4-4
- Added fix for STR #2600 in which cupsd can crash from a NULL dereference
  with LogLevel debug2 (bug #385631).
* Mon Nov 12 2007 Tim Waugh <twaugh@redhat.com> 1:1.3.4-3
- Fixed CVE-2007-4045 patch; has no effect with shipped packages since they
  are linked with gnutls.
- Temporarily undo STR #2537 change so that non-UTF-8 requests are not
  rejected (bug #378211).
- LSPP cupsdSetString/ClearString fixes (bug #378451).
* Wed Nov  7 2007 Tim Waugh <twaugh@redhat.com> 1:1.3.4-2
- Applied patch to fix CVE-2007-4045 (bug #250161).
- Applied patch to fix CVE-2007-4352, CVE-2007-5392 and
  CVE-2007-5393 (bug #345101).
* Thu Nov  1 2007 Tim Waugh <twaugh@redhat.com> 1:1.3.4-1
- 1.3.4 (bug #362971).
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #436153 - CVE-2008-0047 cups: heap based buffer overflow in cgiCompileSearch()
        https://bugzilla.redhat.com/show_bug.cgi?id=436153
  [ 2 ] Bug #438303 - CVE-2008-1373 cups: overflow in gif image filter
        https://bugzilla.redhat.com/show_bug.cgi?id=438303
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update cups' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.