CUPS-Filters Out-of-Bounds Write Vulnerability in PDF to Raster Conversion Tool

A moderate out-of-bounds write vulnerability has been identified in the CUPS-Filters package, specifically in versions prior to 1.28.18. The issue arises in the 'pdftoraster' tool, which is used to convert PDF files to raster images for printing. By crafting a PDF with an excessively large 'MediaBox' width, an attacker can manipulate the 'pdftoraster' tool to write beyond the allocated memory bounds. This exploitation is made possible because the large 'MediaBox' value causes an integer overflow in the calculation of 'bytesPerLine', leading to a small buffer allocation. Consequently, the 'writePixel8' function attempts to write pixel data outside the designated buffer size, creating a potential security risk.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, a type of memory corruption that can lead to arbitrary code execution or the introduction of vulnerabilities that could be exploited later.

Reproduction

The vulnerability can be reproduced by using a PDF file that has been crafted to include a large 'MediaBox' width value. This can be done by manually creating a PDF with the specified dimensions or by modifying an existing PDF. Once the PDF is prepared, the 'pdftoraster' tool can be run with the crafted PDF as input. When CUPS-Filters 1.x is built with AddressSanitizer enabled, this out-of-bounds write can be observed, as the AddressSanitizer will report the memory corruption error.

Remediation

Users can upgrade to CUPS-Filters version 1.28.18 or later to address this vulnerability. For those using 'libcupsfilters', version 2.1.2 or later is recommended.