295256 – (CVE-2009-3553) <net-print/cups-1.3.11-r2 File descriptor handling Use-after-free (crash) (CVE-2009-3553)

Bug 295256 (CVE-2009-3553) - <net-print/cups-1.3.11-r2 File descriptor handling Use-after-free (crash) (CVE-2009-3553)

Summary: <net-print/cups-1.3.11-r2 File descriptor handling Use-after-free (crash) (CV...

Status:	RESOLVED FIXED

Alias:	CVE-2009-3553

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	A3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-11-30 22:32 UTC by Timo Gurr (RETIRED)
Modified:	2012-07-09 23:37 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Timo Gurr (RETIRED) gentoo-dev

2009-11-30 22:32:11 UTC

An use-after-free flaw was found in the way CUPS handled references in its
file descriptors handling interface. A remote attacker could, in a
specially-crafted way, query for the list of current print jobs for a
specific printer, leading to a denial of service (cupsd crash).

Upstream bug report:
-------------------
http://www.cups.org/str.php?L3200

Reproducer from upstream STR#3200 issue:
----------------------------------------
1. produce 300 active jobs on the CUPS server.
2. extract client.zip to any directory
3. execute: java -cp "cups-java-client-1.3.jar";. TestCupsGetJobs 10.236.33.136
  (replace 10.236.33.136 with your server address)


Suggestion (tgurr):
-------
Stabilize =net-print/cups-1.3.11-r2 which has the security patches provided by
upstream applied (Note: =net-print/cups-1.4.2-r1 is patched as well).

NOTE: Please delete your already downloaded cups-1.3.11-source.tar.bz2 from distfiles when stabilizing because of upstream tarball ping-pong ...
Wrong size:   DIST cups-1.3.11-source.tar.bz2 3799424 RMD160
Correct size: DIST cups-1.3.11-source.tar.bz2 3799393 RMD160

Comment 1 Alex Legler (RETIRED) archtester

2009-12-01 06:29:42 UTC

CVE-2009-3553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3553):
  Use-after-free vulnerability in the abstract file-descriptor handling
  interface in the cupsdDoSelect function in scheduler/select.c in the
  scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers
  to cause a denial of service (daemon crash or hang) via a client
  disconnection during listing of a large number of print jobs, related
  to improperly maintaining a reference count.  NOTE: some of these
  details are obtained from third party information.

Comment 2 Kelly Price 2010-01-10 22:51:11 UTC

The new file size breaks net-print/cups-1.3.11-r1.  Trying out the -r2.

Comment 3 Pacho Ramos gentoo-dev

2010-07-03 10:46:26 UTC

Why is net-print/cups-1.3.11-r2 not being stabilized?

Comment 4 Tobias Heinlein (RETIRED) gentoo-dev

2010-07-03 12:35:29 UTC

(In reply to comment #3)
> Why is net-print/cups-1.3.11-r2 not being stabilized?
> 

Because arches have not been added to CC, thanks! Doing so now.

Arches, please test and mark stable:
=net-print/cups-1.4.4
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 5 Tobias Heinlein (RETIRED) gentoo-dev

2010-07-03 12:36:18 UTC

Oops, wrong version, should have been:

Arches, please test and mark stable:
=net-print/cups-1.3.11-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-07-04 11:11:30 UTC

x86 stable

Comment 7 Brent Baude (RETIRED) gentoo-dev

2010-07-08 16:15:03 UTC

ppc64 done

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2010-07-10 17:54:24 UTC

Stable for HPPA.

Comment 9 Tobias Klausmann (RETIRED) gentoo-dev

2010-07-11 09:28:12 UTC

Stable on alpha.

Comment 10 Markos Chandras (RETIRED) gentoo-dev

2010-07-12 17:38:39 UTC

amd64 done

Comment 11 Raúl Porcel (RETIRED) gentoo-dev

2010-07-17 16:39:16 UTC

arm/ia64/m68k/s390/sh/sparc stable

Comment 12 Joe Jezak (RETIRED) gentoo-dev

2010-07-18 19:01:06 UTC

Marked ppc stable.

Comment 13 Tim Sammut (RETIRED) gentoo-dev

2011-01-02 04:28:33 UTC

xiexie, folks. GLSA request filed.

Comment 14 Andreas K. Hüttel archtester

2011-06-03 21:43:55 UTC

Thanks guys. No vulnerable version left in the tree. 
Nothing left to do for printing.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2012-07-09 23:37:08 UTC

This issue was resolved and addressed in
 GLSA 201207-10 at http://security.gentoo.org/glsa/glsa-201207-10.xml
by GLSA coordinator Sean Amoss (ackle).