Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Wed, 20 Feb 2008 11:53:41 -0900
From: Jonathan Smith <smithj@...ethemallocs.com>
To:  oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: cups

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, lets start actually using this list... below is an advisory from
secunia detailing a cups DoS.

Steve, could we get a CVE assigned?

Attached is the patch upstream used to fix it (against 1.1.23, but it is
the same for other versions, just with a different offset).

	smithj

Secunia Security Advisories wrote:
| TITLE:
| CUPS "process_browse_data()" Double Free Vulnerability
|
| SECUNIA ADVISORY ID:
| SA28994
|
| VERIFY ADVISORY:
| http://secunia.com/advisories/28994/
|
| CRITICAL:
| Moderately critical
|
| IMPACT:
| DoS, System access
|
| WHERE:
| From local network
|
| SOFTWARE:
| CUPS 1.x
| http://secunia.com/product/921/
|
| DESCRIPTION:
| A vulnerability has been discovered in CUPS, which can be exploited
| by malicious people to cause a DoS (Denial of Service) or to
| potentially compromise a vulnerable system.
|
| The vulnerability is caused due to an error within the
| "process_browse_data()" function when adding printers and classes.
| This can be exploited to free the same buffer twice by sending
| specially crafted browser packets to the UDP port on which cupsd is
| listening (by default port 631/UDP).
|
| Successful exploitation may allow execution of arbitrary code.
|
| The vulnerability is confirmed in version 1.3.5. Prior versions may
| also be affected.
|
| SOLUTION:
| Update to version 1.3.6.
|
| PROVIDED AND/OR DISCOVERED BY:
| Reported as a CUPS bug by h.blischke.
|
| ORIGINAL ADVISORY:
| http://www.cups.org/str.php?L2656
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (GNU/Linux)

iEYEARECAAYFAke8k1UACgkQCG91qXPaRemo6ACgkzBRHnntL1EFvNm7vEjLVAna
Ym0An2Ptrg2M20FJL7WX+XYVJCDENJO4
=iA0l
-----END PGP SIGNATURE-----

diff -r f90ed3c96d46 scheduler/dirsvc.c
--- a/scheduler/dirsvc.c	Wed Feb 20 11:50:22 2008 -0900
+++ b/scheduler/dirsvc.c	Wed Feb 20 11:51:10 2008 -0900
@@ -193,6 +193,13 @@ ProcessBrowseData(const char   *uri,	/* 
 
     if (p == NULL)
     {
+     /*
+      * Make sure there is no old printer of same name defined
+      */
+
+      if ((p = cupsdFindPrinter(name)) != NULL)
+        cupsdDeletePrinter(p,1);
+
      /*
       * Class doesn't exist; add it...
       */

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux