FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

cups-filters -- texttopdf integer overflow

Affected packages
cups-filters < 1.0.71


VuXML ID bf1d9331-21b6-11e5-86ff-14dae9d210b8
Discovery 2015-07-03
Entry 2015-07-03
Modified 2015-07-07

Stefan Cornelius from Red Hat reports:

An integer overflow flaw leading to a heap-based buffer overflow was discovered in the way the texttopdf utility of cups-filter processed print jobs with a specially crafted line size. An attacker being able to submit print jobs could exploit this flaw to crash texttopdf or, possibly, execute arbitrary code with the privileges of the 'lp' user.

Tim Waugh reports:

The Page allocation is moved into textcommon.c, where it does all the necessary checking: lower-bounds for CVE-2015-3258 and upper-bounds for CVE-2015-3259 due to integer overflows for the calloc() call initializing Page[0] and the memset() call in texttopdf.c's WritePage() function zeroing the entire array.


CVE Name CVE-2015-3279