oss-sec mailing list archives
[vs] CVE-2023-32324 heap buffer overflow in cupsd
From: Zdenek Dohnal <zdohnal () redhat com>
Date: Thu, 1 Jun 2023 12:35:16 +0200
Hi all, there is currently embargoed CVE-2023-32324 in cups project: SummaryA heap buffer overflow vulnerability would allow a remote attacker to lauch a dos attack.
DetailsA buffer overflow vulnerability in the function |format_log_line| could allow remote attackers to cause a denial-of-service(DoS) on the affected system (not verified for possible arbitrary code execution).
The vulnerability affects the commit #c0c4037 and the latest commit #4310a07 on the GitHub master branch as well as the latest release version v2.4.2. I have only tested these versions so far.
Exploitation of the vulnerability can be triggered when the configuration file |cupsd.conf| sets the value of |loglevel |to |DEBUG| if the log location is set to a file.
Reproduce $ git clonehttps://github.com/OpenPrinting/cups.git $ cd cups $ CFLAGS="-g -fsanitize=address -fPIE" CXXFLAGS="-g -fsanitize=address -fPIE" LDFLAGS="-fsanitize=address" ./configure -with-tls=no --disable-shared # Now compile cups $ make -j # Adjust conf/cupsd.conf to reproduce the crash - enable debug logging to a file and set cupsd to listen on port 8631 $ sed -i 's,LogLevel warn,LogLevel debug,' conf/cupsd.conf $ sed -i 's,Listen localhost:631,Listen localhost:8631,' conf/cupsd.conf Run cups and replay the crash.raw|$ sudo ./scheduler/cupsd -c conf/cupsd.conf -f $ nc 127.0.0.1 8631 < ./crash.raw |||
cupsd crashes after the last command and generates the attached ASAN report. || || PoC crash.raw attached Impact Heap buffer overflow. *Patch*Committed as https://github.com/OpenPrinting/cups/commit/fd8bc2d32589d1fd91fe1c0521be2a7c0462109e
For OpenPriniting CUPS community, Zdenek Dohnal (CUPS 2.4.x release manager) -- Zdenek Dohnal Senior Software Engineer Red Hat, BRQ-TPBC
Attachment:
0001-Consensus-fix.patch
Description:
Attachment:
asan_report.txt
Description:
Attachment:
crash.raw
Description:
Current thread:
- [vs] CVE-2023-32324 heap buffer overflow in cupsd Zdenek Dohnal (Jun 01)