oss-sec mailing list archives
Re: CVE request: CUPS DoS via RSS subscriptions
From: Josh Bressers <bressers () redhat com>
Date: Wed, 19 Nov 2008 15:14:43 -0500 (EST)
----- "Kees Cook" <kees () ubuntu com> wrote:
Hello! I'd like to get a CVE assigned for the RSS subscription DoS mentioned here[1]. It seems that CUPS upstream already fixed[2] the issue[3] in their 1.3.8 release. Prior to 1.3.8, the server can be made to crash when visiting a malicious website due to CUPS general CSRF issues. Thanks, -Kees [1] https://bugs.launchpad.net/ubuntu/+source/cups/+bug/298241 http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/ [2] http://www.cups.org/strfiles/2774/str2774.patch [3] http://www.cups.org/str.php?L2774
So from looking at cups 1.3.7 on Fedora 8, here is what I see: (gdb) bt #0 create_subscription (con=0xb88975c0, uri=0xb889ae00) at ipp.c:5858 #1 0xb7facba7 in cupsdProcessIPPRequest (con=0xb88975c0) at ipp.c:615 #2 0xb7f88bfc in cupsdReadClient (con=0xb88975c0) at client.c:2253 #3 0xb7fc0606 in cupsdDoSelect (timeout=1) at select.c:537 #4 0xb7f98710 in main (argc=1, argv=0xbfdd6194) at main.c:817 (gdb) list 5853 else if (printer) 5854 cupsdLogMessage(CUPSD_LOG_DEBUG, 5855 "Added subscription %d for printer \"%s\"", 5856 sub->id, printer->name); 5857 else 5858 cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for server", 5859 sub->id); 5860 5861 sub->interval = interval; 5862 sub->lease = lease; (gdb) print sub $1 = (cupsd_subscription_t *) 0x0 It would appear to be a NULL pointer dereference. It seems that this call a few lines above the snippet shown above: sub = cupsdAddSubscription(mask, printer, job, recipient, 0); will return NULL when the hardcoded value of 100 subscriptions is hit. So really the issu here is a lack of error checking which results in a NULL dereference crash. The upstream fix could still obviously let a local authenticated user crash the server. I'm not sure why yet, but this doesn't crash cups 1.2.4 for me (which it should). -- JB
Current thread:
- CVE request: CUPS DoS via RSS subscriptions Kees Cook (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 21)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Jan Lieskovsky (Nov 25)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Eygene Ryabinkin (Nov 25)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Nov 25)
- Message not available
- Message not available
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Dec 03)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
- <Possible follow-ups>
- Re: CVE request: CUPS DoS via RSS subscriptions Josh Bressers (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael R Sweet (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)