oss-sec mailing list archives
Re: CVE request: CUPS DoS via RSS subscriptions
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 20 Nov 2008 19:41:06 -0500 (EST)
On Wed, 19 Nov 2008, Kees Cook wrote:
I'd like to get a CVE assigned for the RSS subscription DoS mentioned here[1]. It seems that CUPS upstream already fixed[2] the issue[3] in their 1.3.8 release. Prior to 1.3.8, the server can be made to crash when visiting a malicious website due to CUPS general CSRF issues.
I treated this as two CVEs, one for the CSRF-simplifying attack, and a separate one for the CUPS server crash (assuming that cupsd should not be crashable by non-root authenticated users). - Steve ====================================================== Name: CVE-2008-5183 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183 Reference: MISC:http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/ Reference: CONFIRM:https://bugs.launchpad.net/ubuntu/+source/cups/+bug/298241 Reference: MLIST:[oss-security] 20081119 CVE request: CUPS DoS via RSS subscriptions Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/19/3 Reference: MLIST:[oss-security] 20081119 Re: CVE request: CUPS DoS via RSS subscriptions Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/19/4 cupsd in CUPS before 1.3.8 allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference. NOTE: this issue can be triggered remotely by leveraging CVE-2008-5184. ====================================================== Name: CVE-2008-5184 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5184 Reference: MISC:http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/ Reference: CONFIRM:http://www.cups.org/str.php?L2774 Reference: MLIST:[oss-security] 20081119 CVE request: CUPS DoS via RSS subscriptions Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/19/3 The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions.
Current thread:
- CVE request: CUPS DoS via RSS subscriptions Kees Cook (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 21)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Jan Lieskovsky (Nov 25)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Eygene Ryabinkin (Nov 25)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Nov 25)
- Message not available
- Message not available
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Dec 03)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
- <Possible follow-ups>
- Re: CVE request: CUPS DoS via RSS subscriptions Josh Bressers (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)