Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212364 - net-print/cups <1.2.12-r6 Remote cgiCompileSearch() Buffer overflow (CVE-2008-0047)
Summary: net-print/cups <1.2.12-r6 Remote cgiCompileSearch() Buffer overflow (CVE-2008...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://labs.idefense.com/intelligence...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-05 10:14 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-06 21:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
cups-1.2.12-CVE-2008-0047.patch (cups-1.2.12-CVE-2008-0047.patch,495 bytes, patch)
2008-03-05 10:19 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
cups-1.2.12-r6.ebuild (cups-1.2.12-r6.ebuild,6.99 KB, text/plain)
2008-03-10 14:04 UTC, Timo Gurr (RETIRED)
no flags Details
cups-1.3.6-r2.ebuild (cups-1.3.6-r2.ebuild,8.02 KB, text/plain)
2008-03-10 14:06 UTC, Timo Gurr (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 10:14:22 UTC
CUPS serves an interface on TCP port 631, which provides access to  
several CGI applications.
These applications are used to administer CUPS, and to provide
information about print jobs. These applications all use a common
search function called cgiCompileSearch(). This function takes a user
provide search expression, and compiles it into a regular expression.
By passing a malformed search request, an attacker can trigger a heap  
based buffer overflow.

In order to exploit this vulnerability remotely, the targeted host must
be sharing a printer(s) on the network. If a printer is not being
shared, CUPS only listens on the localhost interface, and the scope of
this vulnerability would be limited to local privilege escalation.


The CVE for this issue is CVE-2008-0047.
It is also tracked by
http://www.cups.org/str.php?L2729

Timing:
This issue should remain embargoed until 3/18/2008.
If there is any change to this schedule, we will notify vendor-sec.

Versions affected:
CUPS 1.2.0 through 1.3.6


Credit:
regenrecht working with the VeriSign iDefense VCP
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 10:15:34 UTC
Timo, this issue is under embargo until 2008-03-18. Do not commit anything to CVS until this date. Please prepare an updated ebuild and attach it to this bug, we will do prestable testing here. Thanks.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 10:19:26 UTC
Created attachment 145338 [details, diff]
cups-1.2.12-CVE-2008-0047.patch

Upstream patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-08 16:29:19 UTC
Timo, please prepare an ebuild.
Comment 4 Timo Gurr (RETIRED) gentoo-dev 2008-03-10 14:04:57 UTC
Created attachment 145731 [details]
cups-1.2.12-r6.ebuild

With the same keywords like cups-1.2.12-r4.ebuild:
Stable: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Testing: ~mips ~sparc-fbsd ~x86-fbsd
Comment 5 Timo Gurr (RETIRED) gentoo-dev 2008-03-10 14:06:17 UTC
Created attachment 145733 [details]
cups-1.3.6-r2.ebuild

Many thanks to Peter Volkov (pva) for helping me out with the ebuilds and bugfixes!
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-03-10 15:36:49 UTC
Arch Security Liaisons, please test the attached ebuild ( =net-print/cups-1.2.12-r4 ) and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-03-10 16:42:17 UTC
sparc is good with cups-1.2.12-r6. (Tested remote only using {.ps, .pdf} files, two different printers.)

I think in Comment 6 you mean -1.2.12-r6.  I didn't do anything with -1.3.6-r2.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-03-10 17:15:38 UTC
(In reply to comment #7)
> I think in Comment 6 you mean -1.2.12-r6.

Hgh.....my copy+paste foo is not improving as fast as I hoped.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-11 02:16:48 UTC
OK for HPPA.
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-11 07:57:17 UTC
Works on x86 remote and local...only had time for 1.2.12-r6
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2008-03-11 07:57:59 UTC
-1.2.12-r6 looks good on ppc64.
Comment 12 Peter Weller (RETIRED) gentoo-dev 2008-03-14 07:18:36 UTC
Looks good to go on amd64
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-03-19 00:51:46 UTC
public via URL. tgurr, printing, please commit the ebuild to the tree with the stable keywords earned in this bug.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-03-19 21:30:20 UTC
printing, I committed the ebuilds here since I could not get hold of tgurr since yesterday. I did not clean up older ebuilds.

Now for the rest...

Arches, please test and mark stable:
=net-print/cups-1.2.12-r6
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
Already stabled : "amd64 hppa ppc64 sparc x86"
Missing keywords: "alpha arm ia64 m68k ppc release s390 sh"
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2008-03-22 15:22:47 UTC
ia64 stable
Comment 16 Tobias Klausmann (RETIRED) gentoo-dev 2008-03-22 16:21:45 UTC
Stable on alpha.
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-23 11:09:00 UTC
ppc stable, ready for glsa
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2008-03-23 12:16:36 UTC
Fixed in release snapshot.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 19:46:02 UTC
draft in 'maker.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 19:19:06 UTC
GLSA 200804-01