oss-sec mailing list archives

CVE request: CUPS DoS via RSS subscriptions

From: Kees Cook <kees () ubuntu com>
Date: Wed, 19 Nov 2008 11:07:45 -0800

Hello!

I'd like to get a CVE assigned for the RSS subscription DoS mentioned
here[1].  It seems that CUPS upstream already fixed[2] the issue[3] in
their 1.3.8 release.  Prior to 1.3.8, the server can be made to crash
when visiting a malicious website due to CUPS general CSRF issues.

Thanks,

-Kees

[1] https://bugs.launchpad.net/ubuntu/+source/cups/+bug/298241
    http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/
[2] http://www.cups.org/strfiles/2774/str2774.patch
[3] http://www.cups.org/str.php?L2774

-- 
Kees Cook
Ubuntu Security Team

Current thread:

CVE request: CUPS DoS via RSS subscriptions Kees Cook (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
  - Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
    - Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 21)
    - Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Jan Lieskovsky (Nov 25)
    - Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Eygene Ryabinkin (Nov 25)
    - Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Nov 25)
    - Message not available
    - Message not available
    - Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Dec 03)
- <Possible follow-ups>
- Re: CVE request: CUPS DoS via RSS subscriptions Josh Bressers (Nov 19)
  - Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)
    - Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 19)

(Thread continues...)