oss-sec mailing list archives
Re: CVE request: CUPS DoS via RSS subscriptions
From: Josh Bressers <bressers () redhat com>
Date: Wed, 19 Nov 2008 15:14:43 -0500 (EST)
----- "Kees Cook" <kees () ubuntu com> wrote:
Hello! I'd like to get a CVE assigned for the RSS subscription DoS mentioned here[1]. It seems that CUPS upstream already fixed[2] the issue[3] in their 1.3.8 release. Prior to 1.3.8, the server can be made to crash when visiting a malicious website due to CUPS general CSRF issues. Thanks, -Kees [1] https://bugs.launchpad.net/ubuntu/+source/cups/+bug/298241 http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/ [2] http://www.cups.org/strfiles/2774/str2774.patch [3] http://www.cups.org/str.php?L2774
So from looking at cups 1.3.7 on Fedora 8, here is what I see:
(gdb) bt
#0 create_subscription (con=0xb88975c0, uri=0xb889ae00) at ipp.c:5858
#1 0xb7facba7 in cupsdProcessIPPRequest (con=0xb88975c0) at ipp.c:615
#2 0xb7f88bfc in cupsdReadClient (con=0xb88975c0) at client.c:2253
#3 0xb7fc0606 in cupsdDoSelect (timeout=1) at select.c:537
#4 0xb7f98710 in main (argc=1, argv=0xbfdd6194) at main.c:817
(gdb) list
5853 else if (printer)
5854 cupsdLogMessage(CUPSD_LOG_DEBUG,
5855 "Added subscription %d for printer \"%s\"",
5856 sub->id, printer->name);
5857 else
5858 cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for server",
5859 sub->id);
5860
5861 sub->interval = interval;
5862 sub->lease = lease;
(gdb) print sub
$1 = (cupsd_subscription_t *) 0x0
It would appear to be a NULL pointer dereference. It seems that this call a
few lines above the snippet shown above:
sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
will return NULL when the hardcoded value of 100 subscriptions is hit. So really
the issu here is a lack of error checking which results in a NULL dereference
crash. The upstream fix could still obviously let a local authenticated user
crash the server.
I'm not sure why yet, but this doesn't crash cups 1.2.4 for me (which it should).
--
JB
Current thread:
- CVE request: CUPS DoS via RSS subscriptions Kees Cook (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 21)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Jan Lieskovsky (Nov 25)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Eygene Ryabinkin (Nov 25)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Nov 25)
- Message not available
- Message not available
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Dec 03)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
- <Possible follow-ups>
- Re: CVE request: CUPS DoS via RSS subscriptions Josh Bressers (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael R Sweet (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)
