Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Re: cups-browsed remote exploit
From: Jamie Strandboge <jamie () canonical com>
Date: Fri, 25 Apr 2014 15:24:15 -0500

On 04/02/2014 03:18 PM, cve-assign () mitre org wrote:
For this it creates a filter-script

snprintf

"%s/filter/pdftoippprinter \"$1\" \"$2\" \"$3\" \"$4\" \"$5 $extra_options\"\n",
p->name, pdl, make_model, cups_serverbin);

its easy to inject code to the script e.g. via model name or pdl key
which is taken from the LAN packets.

Use CVE-2014-2707.


This issue was reported as fixed in 1.0.51:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188

but it was found that the fix was incomplete with the full fix in 1.0.53:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194

Should this get a second CVE or should we continue to use CVE-2014-2707?

Furthermore, another security issue was also fixed in 1.0.53:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7195

"
- cups-browsed: SECURITY FIX: Fix on usage of the
  "BrowseAllow" directive in cups-browsed.conf. Before, if the
  argument of a "BrowseAllow" directive is not understood it
  is treated as the directive not having been there, allowing
  any host if this was the only "BrowseAllow" directive. Now
  we treat this as a directive which no host can fulfill, not
  allowing any host if it was the only one. No "BrowseAllow"
  directive means access for all, as before (Bug #1204).
"

I believe this should receive a CVE.

Thanks

References:
https://bugzilla.novell.com/show_bug.cgi?id=871327
https://bugs.linuxfoundation.org/show_bug.cgi?id=1204

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault