oss-sec mailing list archives

CVE request: cups

From: Jonathan Smith <smithj () freethemallocs com>
Date: Wed, 20 Feb 2008 11:53:41 -0900

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, lets start actually using this list... below is an advisory from
secunia detailing a cups DoS.

Steve, could we get a CVE assigned?

Attached is the patch upstream used to fix it (against 1.1.23, but it is
the same for other versions, just with a different offset).

        smithj

Secunia Security Advisories wrote:
| TITLE:
| CUPS "process_browse_data()" Double Free Vulnerability
|
| SECUNIA ADVISORY ID:
| SA28994
|
| VERIFY ADVISORY:
| http://secunia.com/advisories/28994/
|
| CRITICAL:
| Moderately critical
|
| IMPACT:
| DoS, System access
|
| WHERE:
| From local network
|
| SOFTWARE:
| CUPS 1.x
| http://secunia.com/product/921/
|
| DESCRIPTION:
| A vulnerability has been discovered in CUPS, which can be exploited
| by malicious people to cause a DoS (Denial of Service) or to
| potentially compromise a vulnerable system.
|
| The vulnerability is caused due to an error within the
| "process_browse_data()" function when adding printers and classes.
| This can be exploited to free the same buffer twice by sending
| specially crafted browser packets to the UDP port on which cupsd is
| listening (by default port 631/UDP).
|
| Successful exploitation may allow execution of arbitrary code.
|
| The vulnerability is confirmed in version 1.3.5. Prior versions may
| also be affected.
|
| SOLUTION:
| Update to version 1.3.6.
|
| PROVIDED AND/OR DISCOVERED BY:
| Reported as a CUPS bug by h.blischke.
|
| ORIGINAL ADVISORY:
| http://www.cups.org/str.php?L2656
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (GNU/Linux)

iEYEARECAAYFAke8k1UACgkQCG91qXPaRemo6ACgkzBRHnntL1EFvNm7vEjLVAna
Ym0An2Ptrg2M20FJL7WX+XYVJCDENJO4
=iA0l
-----END PGP SIGNATURE-----

diff -r f90ed3c96d46 scheduler/dirsvc.c
--- a/scheduler/dirsvc.c        Wed Feb 20 11:50:22 2008 -0900
+++ b/scheduler/dirsvc.c        Wed Feb 20 11:51:10 2008 -0900
@@ -193,6 +193,13 @@ ProcessBrowseData(const char   *uri,       /* 
 
     if (p == NULL)
     {
+     /*
+      * Make sure there is no old printer of same name defined
+      */
+
+      if ((p = cupsdFindPrinter(name)) != NULL)
+        cupsdDeletePrinter(p,1);
+
      /*
       * Class doesn't exist; add it...
       */

Attachment: cups-double-free.patch.sig
Description:

Current thread:

CVE request: cups Jonathan Smith (Feb 20)
- Re: CVE request: cups Josh Bressers (Feb 20)