oss-sec mailing list archives

Re: CVE request: CUPS DoS via RSS subscriptions

From: Josh Bressers <bressers () redhat com>
Date: Wed, 19 Nov 2008 15:14:43 -0500 (EST)


----- "Kees Cook" <kees () ubuntu com> wrote:

Hello!

I'd like to get a CVE assigned for the RSS subscription DoS mentioned
here[1].  It seems that CUPS upstream already fixed[2] the issue[3]
in
their 1.3.8 release.  Prior to 1.3.8, the server can be made to crash
when visiting a malicious website due to CUPS general CSRF issues.

Thanks,

-Kees

[1] https://bugs.launchpad.net/ubuntu/+source/cups/+bug/298241
    http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/
[2] http://www.cups.org/strfiles/2774/str2774.patch
[3] http://www.cups.org/str.php?L2774


So from looking at cups 1.3.7 on Fedora 8, here is what I see:

(gdb) bt
#0  create_subscription (con=0xb88975c0, uri=0xb889ae00) at ipp.c:5858
#1  0xb7facba7 in cupsdProcessIPPRequest (con=0xb88975c0) at ipp.c:615
#2  0xb7f88bfc in cupsdReadClient (con=0xb88975c0) at client.c:2253
#3  0xb7fc0606 in cupsdDoSelect (timeout=1) at select.c:537
#4  0xb7f98710 in main (argc=1, argv=0xbfdd6194) at main.c:817
(gdb) list
5853        else if (printer)
5854          cupsdLogMessage(CUPSD_LOG_DEBUG,
5855                          "Added subscription %d for printer \"%s\"",
5856                          sub->id, printer->name);
5857        else
5858          cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for server",
5859                          sub->id);
5860
5861        sub->interval = interval;
5862        sub->lease    = lease;
(gdb) print sub
$1 = (cupsd_subscription_t *) 0x0

It would appear to be a NULL pointer dereference.  It seems that this call a
few lines above the snippet shown above:
 sub = cupsdAddSubscription(mask, printer, job, recipient, 0);

will return NULL when the hardcoded value of 100 subscriptions is hit.  So really
the issu here is a lack of error checking which results in a NULL dereference
crash.  The upstream fix could still obviously let a local authenticated user
crash the server.

I'm not sure why yet, but this doesn't crash cups 1.2.4 for me (which it should).

-- 
    JB

Current thread:

CVE request: CUPS DoS via RSS subscriptions Kees Cook (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
  - Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
    - Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 21)
    - Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Jan Lieskovsky (Nov 25)
    - Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Eygene Ryabinkin (Nov 25)
    - Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Nov 25)
    - Message not available
    - Message not available
    - Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Dec 03)
- <Possible follow-ups>
- Re: CVE request: CUPS DoS via RSS subscriptions Josh Bressers (Nov 19)
  - Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)
    - Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 19)
    - Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
    - Re: CVE request: CUPS DoS via RSS subscriptions Michael R Sweet (Nov 20)