[vs] CVE-2023-32324 heap buffer overflow in cupsd

[Zdenek Dohnal <zdohnal () redhat com>]

Hi all,

there is currently embargoed CVE-2023-32324 in cups project:


     Summary

A heap buffer overflow vulnerability would allow a remote attacker to 
lauch a dos attack.


     Details

A buffer overflow vulnerability in the function |format_log_line| could 
allow remote attackers to cause a denial-of-service(DoS) on the affected 
system (not verified for possible arbitrary code execution).

The vulnerability affects the commit #c0c4037 and the latest commit 
#4310a07 on the GitHub master branch as well as the latest release 
version v2.4.2. I have only tested these versions so far.

Exploitation of the vulnerability can be triggered when the 
configuration file |cupsd.conf| sets the value of |loglevel |to |DEBUG| 
if the log location is set to a file.


     Reproduce

$ git clonehttps://github.com/OpenPrinting/cups.git
$ cd  cups
$ CFLAGS="-g -fsanitize=address -fPIE" CXXFLAGS="-g -fsanitize=address -fPIE" LDFLAGS="-fsanitize=address" ./configure 
-with-tls=no --disable-shared

# Now compile cups
$ make -j

# Adjust conf/cupsd.conf to reproduce the crash - enable debug logging to a file and set cupsd to listen on port 8631
$ sed -i 's,LogLevel warn,LogLevel debug,' conf/cupsd.conf
$ sed -i 's,Listen localhost:631,Listen localhost:8631,' conf/cupsd.conf

Run cups and replay the crash.raw

|$ sudo ./scheduler/cupsd -c conf/cupsd.conf -f $ nc 127.0.0.1 8631 < 
./crash.raw |||

cupsd crashes after the last command and generates the attached ASAN report.

||

||


     PoC

crash.raw attached


     Impact

Heap buffer overflow.

*Patch*

Committed as 
https://github.com/OpenPrinting/cups/commit/fd8bc2d32589d1fd91fe1c0521be2a7c0462109e


For OpenPriniting CUPS community,

Zdenek Dohnal (CUPS 2.4.x release manager)

--
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC

Attachment: 0001-Consensus-fix.patch
Description:

Attachment: asan_report.txt
Description:

Attachment: crash.raw
Description: