Ubuntu
cupsys package

[cupsys] [MDVSA-2008:050] multiple vulnerabilities

Bug #196404 reported by disabled.user on 2008-02-28

252

	Status	Importance	Assigned to
cupsys (Debian)	Fix Released	Unknown	debbugs #467653
cupsys (Fedora)	Fix Released	High	redhat-bugs #433758
cupsys (Ubuntu)	Fix Released	Undecided	Jamie Strandboge
Dapper	Fix Released	Undecided	Jamie Strandboge
Edgy	Fix Released	Undecided	Jamie Strandboge
Feisty	Fix Released	Undecided	Jamie Strandboge
Gutsy	Fix Released	Undecided	Jamie Strandboge

Bug Description

Binary package hint: cupsys

References:
MDVSA-2008:050 (http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:050)

Quoting:
"Dave Camp at Critical Path Software discovered a buffer overflow
in CUPS 1.1.23 and earlier could allow local admin users to execute
arbitrary code via a crafted URI to the CUPS service (CVE-2007-5848).

The Red Hat Security Team also found two flaws in CUPS 1.1.x where
a malicious user on the local subnet could send a set of carefully
crafted IPP packets to the UDP port in such a way as to cause CUPS
to crash (CVE-2008-0597) or consume memory and lead to a CUPS crash
(CVE-2008-0596).

Finally, another flaw was found in how CUPS handled the addition and
removal of remote printers via IPP that could allow a remote attacker
to send a malicious IPP packet to the UDP port causing CUPS to crash
(CVE-2008-0882)."

CVE References

Revision history for this message

In Red Hat Bugzilla #433758, Tomas (tomas-redhat-bugs) wrote on 2008-02-21:

Secunia has released and advisory affecting cups printing system:

http://secunia.com/advisories/28994/

  Description:
  A vulnerability has been discovered in CUPS, which can be exploited by
  malicious people to cause a DoS (Denial of Service) or to potentially
  compromise a vulnerable system.

  The vulnerability is caused due to an error within the
  "process_browse_data()" function when adding printers and classes. This
  can be exploited to free the same buffer twice by sending specially
  crafted browser packets to the UDP port on which cupsd is listening (by
  default port 631/UDP).

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 1.3.5. Prior versions may also
be affected.

Solution:
Update to version 1.3.6.

Upstream bug report:
http://www.cups.org/str.php?L2656

Upstream patch:
http://www.cups.org/strfiles/2656/str2656.patch

Revision history for this message

In Red Hat Bugzilla #433758, Tomas (tomas-redhat-bugs) wrote on 2008-02-21:

Further info from Tim Waugh:

  In Red Hat Enterprise Linux 3, 4 and 5 we ship with 'BrowseAllow
  @LOCAL' (the upstream default at the time), which causes CUPS to drop
  UDP Browse packets from source IP addresses not matching a local subnet
  (i.e. interface address & netmask, for each interface).

In Fedora we ship with 'BrowseAll All' in the CUPS configuration,
which allows all UDP Browse packets in.

Communication to 631/udp is allowed by default in iptables configuration.

Revision history for this message

In Red Hat Bugzilla #433758, Mark (mark-redhat-bugs) wrote on 2008-02-21:

We've determined through source code analysis that the older versions of CUPS as
shipped in Red Hat Enterprise Linux 3 and 4 do not contain the code that can
cause this double-free to occur. We also tested this using a reproducer.

Red Hat Enterprise Linux 5 does have the double-free and we can cause CUPS to
remotely crash using an internal reproducer. However the glibc pointer checking
as part of Enterprise Linux 5 limits the exploitability of this issue to just a
crash of CUPS and not the ability to execute arbitrary code.

Revision history for this message

In Red Hat Bugzilla #433758, Fedora (fedora-redhat-bugs) wrote on 2008-02-22:

#10

cups-1.2.12-9.fc7 has been submitted as an update for Fedora 7

Revision history for this message

In Red Hat Bugzilla #433758, Fedora (fedora-redhat-bugs) wrote on 2008-02-26:

#11

cups-1.3.6-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message

In Red Hat Bugzilla #433758, Fedora (fedora-redhat-bugs) wrote on 2008-02-26:

#12

cups-1.2.12-9.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message

In Red Hat Bugzilla #433758, Red (red-redhat-bugs) wrote on 2008-02-26:

#13

This issue was addressed in:

Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2008-0157.html

Fedora:
https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1976
https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1901

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-03-26:

CVE-2007-5848 does not affect Ubuntu (1.2 and higher have different code. CVE-2008-0886 is a duplicate of CVE-2008-0882.

Changed in cupsys:
assignee:	nobody → jamie-strandboge
status:	New → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-03-26:

CVE-2008-0047 already fixed in hardy 1.3.6-3ubuntu1.

Changed in cupsys:
assignee:	nobody → jamie-strandboge
status:	New → In Progress
assignee:	nobody → jamie-strandboge
status:	New → In Progress
assignee:	nobody → jamie-strandboge
status:	New → In Progress

Jamie Strandboge (jdstrand) on 2008-03-26

Changed in cupsys:
assignee:	nobody → jamie-strandboge
status:	New → In Progress

Revision history for this message

disabled.user (disabled.user-deactivatedaccount) wrote on 2008-04-01:

See also:
DSA-1530-1 (http://www.debian.org/security/2008/dsa-1530)

Jamie Strandboge (jdstrand) on 2008-04-02

Changed in cupsys:
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-04-04:

http://www.ubuntu.com/usn/usn-598-1

Changed in cupsys:
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-04-04:

CVE-2008-0596 and CVE-2008-0597 are cupsys 1.1 only

Changed in cupsys:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-04-04:

Hardy updated to 1.3.7-1ubuntu1 which is not vulnerable to any of these CVEs.

Changed in cupsys:
status:	In Progress → Fix Released

Bug Watch Updater (bug-watch-updater) on 2008-04-04

Changed in cupsys:
status:	Unknown → Fix Released

Bug Watch Updater (bug-watch-updater) on 2008-04-29

Changed in cupsys:
status:	Unknown → Fix Released

Bug Watch Updater (bug-watch-updater) on 2017-10-27

Changed in cupsys (Fedora):
importance:	Unknown → High

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #467653
[done grave patch security] Edit
redhat-bugs #433758
[CLOSED CURRENTRELEASE] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntucupsys package

[cupsys] [MDVSA-2008:050] multiple vulnerabilities

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
cupsys package