Security Advisory Important: cups security update

Advisory: RHSA-2007:1022-2
Type: Security Advisory
Severity: Important
Issued on: 2007-11-07
Last updated on: 2007-11-07
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20071022.xml
CVEs (cve.mitre.org): CVE-2007-4045
CVE-2007-4351
CVE-2007-4352
CVE-2007-5392
CVE-2007-5393

Details

Updated cups packages that fix several security issues are now available
for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

The Common UNIX Printing System (CUPS) provides a portable printing layer
for UNIX(R) operating systems.

Alin Rad Pop discovered several flaws in the handling of PDF files. An
attacker could create a malicious PDF file that would cause CUPS to crash
or potentially execute arbitrary code when printed.
(CVE-2007-4352, CVE-2007-5392, CVE-2007-5393)

Alin Rad Pop discovered a flaw in in the way CUPS handles certain IPP tags.
A remote attacker who is able to connect to the IPP TCP port could send a
malicious request causing the CUPS daemon to crash. (CVE-2007-4351)

A flaw was found in the way CUPS handled SSL negotiation. A remote attacker
capable of connecting to the CUPS daemon could cause CUPS to crash.
(CVE-2007-4045)

All CUPS users are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 4)
SRPMS:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.src.rpm
File outdated by:  RHSA-2008:0937		     87d4f1fd6ca6b148140870504f0257b2
 
IA-32:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     0b2dd80ca58b7fcc5ad84f8e1ecd0e81
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     5c00544011bb0dacb4e41e79104d0f0e
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
 
x86_64:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     d4c61974402d4a95ad77bf1eb837350f
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     7bff3f38344be659b135fae842303ae0
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     d328339cf064b6c33a12077ed94c506d
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.src.rpm
File outdated by:  RHSA-2008:0937		     87d4f1fd6ca6b148140870504f0257b2
 
IA-32:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     0b2dd80ca58b7fcc5ad84f8e1ecd0e81
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     5c00544011bb0dacb4e41e79104d0f0e
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
 
IA-64:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.ia64.rpm
File outdated by:  RHSA-2008:0937		     d16b549b7db56a64bcfb1b84d93a4c05
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.ia64.rpm
File outdated by:  RHSA-2008:0937		     8509e970c0d5775aeed6b63052d2b236
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.ia64.rpm
File outdated by:  RHSA-2008:0937		     0a90a78354eaabe482197beee1252b65
 
PPC:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.ppc.rpm
File outdated by:  RHSA-2008:0937		     0d960f2f76cbf3cbf66cb8ba709a6cdc
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.ppc.rpm
File outdated by:  RHSA-2008:0937		     db613329c8d17b9768fb036d823a02e9
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.ppc.rpm
File outdated by:  RHSA-2008:0937		     2156b4fa59f3707f3109f0459486cd81
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.ppc64.rpm
File outdated by:  RHSA-2008:0937		     8c37e553d1f4ec9eef4deb92c48247ac
 
s390:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.s390.rpm
File outdated by:  RHSA-2008:0937		     591d99417d2ca16cdc119bca9389800b
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.s390.rpm
File outdated by:  RHSA-2008:0937		     0ba3a1ca70208f3c0659e2439a0a3d67
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.s390.rpm
File outdated by:  RHSA-2008:0937		     aa7ac1b0d5cde56f20aacec0cf1d5d3c
 
s390x:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.s390x.rpm
File outdated by:  RHSA-2008:0937		     dbc10680046467c823e05ac2724fae50
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.s390x.rpm
File outdated by:  RHSA-2008:0937		     a02e3c07a980aa7d59efa690c2dd798d
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.s390.rpm
File outdated by:  RHSA-2008:0937		     aa7ac1b0d5cde56f20aacec0cf1d5d3c
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.s390x.rpm
File outdated by:  RHSA-2008:0937		     ff9d62f4e7b4b3065498ca63f084f71c
 
x86_64:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     d4c61974402d4a95ad77bf1eb837350f
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     7bff3f38344be659b135fae842303ae0
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     d328339cf064b6c33a12077ed94c506d
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.src.rpm
File outdated by:  RHSA-2008:0937		     87d4f1fd6ca6b148140870504f0257b2
 
IA-32:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     0b2dd80ca58b7fcc5ad84f8e1ecd0e81
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     5c00544011bb0dacb4e41e79104d0f0e
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
 
IA-64:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.ia64.rpm
File outdated by:  RHSA-2008:0937		     d16b549b7db56a64bcfb1b84d93a4c05
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.ia64.rpm
File outdated by:  RHSA-2008:0937		     8509e970c0d5775aeed6b63052d2b236
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.ia64.rpm
File outdated by:  RHSA-2008:0937		     0a90a78354eaabe482197beee1252b65
 
x86_64:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     d4c61974402d4a95ad77bf1eb837350f
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     7bff3f38344be659b135fae842303ae0
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     d328339cf064b6c33a12077ed94c506d
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.src.rpm
File outdated by:  RHSA-2008:0937		     87d4f1fd6ca6b148140870504f0257b2
 
IA-32:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     0b2dd80ca58b7fcc5ad84f8e1ecd0e81
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     5c00544011bb0dacb4e41e79104d0f0e
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
 
IA-64:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.ia64.rpm
File outdated by:  RHSA-2008:0937		     d16b549b7db56a64bcfb1b84d93a4c05
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.ia64.rpm
File outdated by:  RHSA-2008:0937		     8509e970c0d5775aeed6b63052d2b236
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.ia64.rpm
File outdated by:  RHSA-2008:0937		     0a90a78354eaabe482197beee1252b65
 
x86_64:
cups-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     d4c61974402d4a95ad77bf1eb837350f
cups-devel-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     7bff3f38344be659b135fae842303ae0
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.i386.rpm
File outdated by:  RHSA-2008:0937		     fced80c7c01ff6db29cbd090bc516b4f
cups-libs-1.1.22-0.rc1.9.20.2.el4_5.2.x86_64.rpm
File outdated by:  RHSA-2008:0937		     d328339cf064b6c33a12077ed94c506d
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

250161 - CVE-2007-4045 Incomplete fix for CVE-2007-0720 CUPS denial of service
345091 - CVE-2007-4351 cups boundary error
345101 - CVE-2007-4352 xpdf memory corruption in DCTStream::readProgressiveDataUnit()
345111 - CVE-2007-5392 xpdf buffer overflow in DCTStream::reset()
345121 - CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar()


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4045
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/