The _WriteProlog function in texttops.c in texttops in the Text Filter subsystem in CUPS before 1.4.4 does not check the return values of certain calloc calls, which allows remote attackers to cause a denial of service (NULL pointer dereference or heap memory corruption) or possibly execute arbitrary code via a crafted file.
cups.org/articles.php?L596
cups.org/str.php?L3516
cups.org/strfiles/3516/str3516.patch
lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html
secunia.com/advisories/43521
security.gentoo.org/glsa/glsa-201207-10.xml
securitytracker.com/id?1024121
www.debian.org/security/2011/dsa-2176
www.mandriva.com/security/advisories?name=MDVSA-2010:232
www.mandriva.com/security/advisories?name=MDVSA-2010:234
www.securityfocus.com/bid/40943
www.vupen.com/english/advisories/2011/0535
bugzilla.redhat.com/show_bug.cgi?id=587746
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10365