CUPS trips up on crafted PNG images
When confronted with crafted PNG images, an integer overflow may occur in the current 1.3.7 version of the CUPS Unix printing service. This could result in a buffer overflow that would potentially allow an attacker to infiltrate and execute code from within the local network. Older versions are probably also affected.
The vulnerability results from a failure to check multiplication for overflow in the file filter/image-png.c, which calculates how much memory to reserve based on the image's X and Y values. An overflow during multiplication could result in insufficient memory being reserved.
So far, no update has been released, although the developers have already fixed the problem in the subversion repository. Those who compile the source themselves can download, compile and install the latest binaries. Linux distributors are likely to backport the patch to the current versions and offer updated packages, which administrators should install. Until the updates are available, access to shared printers on CUPS should be restricted to trusted machines.
- Integer overflows in PNG image loading code, entry in the CUPS bug tracking system