oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: cross-site scripting issue fixed in CUPS 1.7.2

From: cve-assign () mitre org
Date: Tue, 15 Apr 2014 12:36:04 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CUPS 1.7.2 ... fixes a cross-site scripting issue



http://www.cups.org/str.php?L4356
http://www.cups.org/strfiles.php/3268/str4356.patch
http://www.cups.org/blog.php?L717
https://bugs.mageia.org/show_bug.cgi?id=13196



the patch may not be sufficient to cover all different encodings,
other special characters of interest etc.



The attached patch updates is_absolute_path() to check for < and quotes



if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)


A CVE can be assigned because the patch above does block some XSS
attack vectors. Use CVE-2014-2856 for what is addressed by this patch.
There weren't any immediate followups here or in L4356 demonstrating
how to exploit the patched scheduler/client.c code in a specific test
environment. It is quite possible that other CVE assignments will be
made later.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTTV86AAoJEKllVAevmvmsoW0H/ijg+KOyofQ2y8V2/AY5amFQ
4+bVg9KcPtyeC6oEMjgx0NAl0UUM3CMQf5q9cWTxA1mkWiFxrfmfavKDwoymxcfl
AlMMOibPCBh+moV4jliWY47eiSolTDF4Bv8spOzbFqkcORUnpcNQwwrD6Q+VUOKn
DuxZUjvStHJhXa2nStIIqThT24B5KQIcRAxUBLKPPuunmhylUi8/UxRxjX6NdPlN
2EL62B3j4VjusYBxOTeq6glNZaeBCoVc3KG7Mvkm5JC0AVH9vcHejQpG35HGnDvX
rD5Q3sbdfhrhJhOEsuYiEAV8e3rHBDxwVYagopf/amaWGOl6/AiwiUIq5mxvIyk=
=bcw3
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: