oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: CUPS DoS via RSS subscriptions

From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Fri, 21 Nov 2008 08:20:00 +0300
Steve, good day.

Thu, Nov 20, 2008 at 07:41:06PM -0500, Steven M. Christey wrote:

I treated this as two CVEs, one for the CSRF-simplifying attack, and a
separate one for the CUPS server crash (assuming that cupsd should not be
crashable by non-root authenticated users).


Please note that as it was discuissed in thread started with
  http://www.openwall.com/lists/oss-security/2008/11/19/4
even 1.3.9 is crashable by non-root authenticated users by adding
a big number of subscriptions (don't know about RSS ones, though
subscription for mailing upon job completion does its job).  But
I imagine that CVE-2008-5184 can't be used for 1.3.9, so remote
attack is not feasible.

I expect that the fix will go into 1.3.10:
  http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt

Adding Michael Sweet to the CC, since he can shed a bit more light on
this matter.  Perhaps CVE-2008-5183 should be extended or another CVE
can be created.
-- 
Eygene
Previous By Date Next
Previous By Thread Next

Current thread: