mailing list archives
Re: Re: cups-browsed remote exploit
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 19 Jun 2014 14:08:53 +0200
It seems this CVE request slipped through the cracks.
On Fri, 25 Apr 2014 15:24:15 -0500 Jamie Strandboge wrote:
On 04/02/2014 03:18 PM, cve-assign () mitre org wrote:
For this it creates a filter-script
"%s/filter/pdftoippprinter \"$1\" \"$2\" \"$3\" \"$4\" \"$5
$extra_options\"\n", p->name, pdl, make_model, cups_serverbin);
its easy to inject code to the script e.g. via model name or pdl
key which is taken from the LAN packets.
This issue was reported as fixed in 1.0.51:
but it was found that the fix was incomplete with the full fix in
Should this get a second CVE or should we continue to use
Note that there is another CVE needed for that commit, more specifically
for the "In addition, some fixes against OOB access are done." part.
That issue affects versions before 1.0.41 (which is the first version
affected by CVE-2014-2707) and can be used to crash cups-browsed
Furthermore, another security issue was also fixed in 1.0.53:
- cups-browsed: SECURITY FIX: Fix on usage of the
"BrowseAllow" directive in cups-browsed.conf. Before, if the
argument of a "BrowseAllow" directive is not understood it
is treated as the directive not having been there, allowing
any host if this was the only "BrowseAllow" directive. Now
we treat this as a directive which no host can fulfill, not
allowing any host if it was the only one. No "BrowseAllow"
directive means access for all, as before (Bug #1204).
I believe this should receive a CVE.
Tomas Hoger / Red Hat Security Response Team