oss-sec mailing list archives
CVE request: cups
From: Jonathan Smith <smithj () freethemallocs com>
Date: Wed, 20 Feb 2008 11:53:41 -0900
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, lets start actually using this list... below is an advisory from secunia detailing a cups DoS. Steve, could we get a CVE assigned? Attached is the patch upstream used to fix it (against 1.1.23, but it is the same for other versions, just with a different offset). smithj Secunia Security Advisories wrote: | TITLE: | CUPS "process_browse_data()" Double Free Vulnerability | | SECUNIA ADVISORY ID: | SA28994 | | VERIFY ADVISORY: | http://secunia.com/advisories/28994/ | | CRITICAL: | Moderately critical | | IMPACT: | DoS, System access | | WHERE: | From local network | | SOFTWARE: | CUPS 1.x | http://secunia.com/product/921/ | | DESCRIPTION: | A vulnerability has been discovered in CUPS, which can be exploited | by malicious people to cause a DoS (Denial of Service) or to | potentially compromise a vulnerable system. | | The vulnerability is caused due to an error within the | "process_browse_data()" function when adding printers and classes. | This can be exploited to free the same buffer twice by sending | specially crafted browser packets to the UDP port on which cupsd is | listening (by default port 631/UDP). | | Successful exploitation may allow execution of arbitrary code. | | The vulnerability is confirmed in version 1.3.5. Prior versions may | also be affected. | | SOLUTION: | Update to version 1.3.6. | | PROVIDED AND/OR DISCOVERED BY: | Reported as a CUPS bug by h.blischke. | | ORIGINAL ADVISORY: | http://www.cups.org/str.php?L2656 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (GNU/Linux) iEYEARECAAYFAke8k1UACgkQCG91qXPaRemo6ACgkzBRHnntL1EFvNm7vEjLVAna Ym0An2Ptrg2M20FJL7WX+XYVJCDENJO4 =iA0l -----END PGP SIGNATURE-----
diff -r f90ed3c96d46 scheduler/dirsvc.c --- a/scheduler/dirsvc.c Wed Feb 20 11:50:22 2008 -0900 +++ b/scheduler/dirsvc.c Wed Feb 20 11:51:10 2008 -0900 @@ -193,6 +193,13 @@ ProcessBrowseData(const char *uri, /* if (p == NULL) { + /* + * Make sure there is no old printer of same name defined + */ + + if ((p = cupsdFindPrinter(name)) != NULL) + cupsdDeletePrinter(p,1); + /* * Class doesn't exist; add it... */
Attachment:
cups-double-free.patch.sig
Description:
Current thread:
- CVE request: cups Jonathan Smith (Feb 20)
- Re: CVE request: cups Josh Bressers (Feb 20)