Bug 170881 - net-print/cups DoS (CVE-2007-0720)
Bug#: 170881 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0720
Summary: net-print/cups DoS (CVE-2007-0720)
Keywords:  
Status Whiteboard: A3 [glsa+] Falco
Opened: 2007-03-14 14:14 0000
Description:   Opened: 2007-03-14 14:14 0000 
This seems not only to affect Apple. It should be fixed in cups 1.2.7.

The CUPS service in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote
attackers to cause a denial of service (service hang) via a
"partially-negotiated" SSL connection, which prevents other requests from being
accepted.

------- Comment #1 From Raphael Marichez 2007-03-15 21:17:22 0000 ------- 
bâ :(

------- Comment #2 From Matt Drew 2007-03-24 22:55:15 0000 ------- 
bug is public:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232243

1.2.9 is already in the tree.

Arches, please stabilize 1.2.9 (unless there are objections).

------- Comment #3 From Matt Drew 2007-03-24 22:57:45 0000 ------- 
Note that per the Red Hat bug 1.1 is also affected.

------- Comment #4 From Markus Rothe 2007-03-25 09:28:03 0000 ------- 
ppc64 stable (1.2.9)

------- Comment #5 From Tobias Scherbaum 2007-03-25 10:26:40 0000 ------- 
ppc stable

------- Comment #6 From Markus Meier 2007-03-25 11:28:16 0000 ------- 
net-print/cups-1.2.9  USE="X dbus jpeg ldap nls pam png ppds samba ssl tiff
-php -slp"
1. emerges on x86
2. passes collision test
3. net-print/libgnomecups-0.2.2 emerges with it
4. works

Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0,
2.6.19.7 i686)
=================================================================
System uname: 2.6.19.7 i686 AMD Athlon(TM) XP1800+
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 25 Mar 2007 09:30:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/php/apache1-php4/ext-active/
/etc/php/apache1-php5/ext-active/ /etc/php/apache2-php4/ext-active/
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php4/ext-active/
/etc/php/cgi-php5/ext-active/ /etc/php/cli-php4/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages
metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv
usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="3dnow 3dnowext X a52 aac alsa apache2 berkdb bitmap-fonts bzip2 cairo cdr
cli cracklib crypt cups dbus divx4linux dri dts dvd dvdr dvdread eds emboss
exif fam ffmpeg firefox fortran gdbm gif gnome gphoto2 gpm gstreamer gtk hal
iconv ipv6 isdnlog java jpeg kde ldap libg++ mad midi mikmod mmx mmxext mono
mp3 mpeg ncurses network nls nptl nptlonly ogg opengl oss pam pcre perl png
ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey
session spell spl ssl svg tcpd test tetex tiff truetype truetype-fonts
type1-fonts unicode usb vcd vorbis win32codecs x86 xine xinerama xml xorg
xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="mouse keyboard"
KERNEL="linux" LINGUAS="en de en_GB" USERLAND="GNU" VIDEO_CARDS="nv none"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #7 From Andrej Kacian (RETIRED) 2007-03-25 19:39:27 0000 ------- 
x86 done

------- Comment #8 From Gustavo Zacarias (RETIRED) 2007-03-26 14:32:37 0000 ------- 
sparc stable.

------- Comment #9 From Chris Gianelloni (RETIRED) 2007-03-27 00:22:47 0000 ------- 
alpha/amd64/ia64 done

------- Comment #10 From Chris Gianelloni (RETIRED) 2007-03-27 00:26:19 0000 ------- 
Crap... OK... not alpha (yet)... which version should I be stabilizing there?

------- Comment #11 From Jeroen Roovers 2007-03-27 04:49:30 0000 ------- 
Stable for HPPA.

------- Comment #12 From Sune Kloppenborg Jeppesen 2007-03-27 06:51:33 0000 ------- 
Pulling in maintainers now.

Printing tt appears that 1.2.x is not working on alpha could you provide a
fixed ebuild for 1.1.x as well?

------- Comment #13 From Stefan Schweizer 2007-03-27 08:43:27 0000 ------- 
I was under the impression that alpha have not yet payed attention to cups-1.2.
See bug 136902

Where do you know from that it doesnt work on alpha? Can the individual who
tested it please also comment there and explain why he believes that cups-1.2
does not work on alpha?

Have marked the other bug as depend of this one for now.

------- Comment #14 From Sune Kloppenborg Jeppesen 2007-03-27 09:24:02 0000 ------- 
@genstef I presumed (perhaps wrongly) that it was not working and alpha was not
slacking.

Chris please comment.

------- Comment #15 From Chris Gianelloni (RETIRED) 2007-03-27 15:43:54 0000 ------- 
I asked which versions I should be stabilizing.  If I should be marking 1.2.9
(and deps) straight to stable, then just tell me as much.

------- Comment #16 From Sune Kloppenborg Jeppesen 2007-03-28 06:15:44 0000 ------- 
This is only fixed in 1.2.9 so target keywords are:

cups-1.2.9.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390
sh sparc x86 ~x86-fbsd"

I hope this covers everything.

------- Comment #17 From Chris Gianelloni (RETIRED) 2007-03-29 14:32:41 0000 ------- 
Alpha done...

------- Comment #18 From Sune Kloppenborg Jeppesen 2007-04-16 15:47:31 0000 ------- 
*** Bug 174801 has been marked as a duplicate of this bug. ***

------- Comment #19 From Lubomir Rintel 2007-04-17 12:08:39 0000 ------- 
Please note that the timeout actually fixes nothing. Tell Mr. Sweet, and he'll
tell you that you are and idiot and that the DoS with just one connection and
few bytes sent is equal to distributed DoS with hundreds of requests and
resources spent and can not be fixed. Users should be warned somehow that they
shouldn't expose the web interfaces to their print servers to Internet. That
would be a good practice anyways. ('I' in "IPP" actually stands for "Intranet",
not?)

See attachment 151009 [details] in Red Hat BTS for a PoC.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232241

------- Comment #20 From Sune Kloppenborg Jeppesen 2007-05-02 11:54:11 0000 ------- 
GLSA 200703-28