Secunia Research has discovered a vulnerability in CUPS, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "ippReadIO()" function in cups/ipp.c when processing IPP (Internet Printing Protocol) tags. This can be exploited to overwrite one byte on the stack with a zero by sending an IPP request containing specially crafted "textWithLanguage" or "nameWithLanguage" tags. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 1.3.3. Other versions may also be affected. Vulnerability Details: ---------------------- The vulnerability is caused by the missing check for the text-length field at line 1430 in cups/ipp.c from cups-1.3.3. Exploitation: ------------- The vulnerability can be reproduced by sending a specially crafted IPP request specifying an IPP tag equal to 0x35 (IPP_TAG_TEXTLANG), containing an overly large text-length value (e.g. 33035). Closing comments: ----------------- We have assigned this vulnerability Secunia advisory SA27233 and CVE identifier CVE-2007-4351. Upstream contacted. Disclosure date: As soon as the vendor releases a patch, or 2007-10-31. Note that this may be changed if the vendor requests it. Credits: Alin Rad Pop, Secunia Research.
Created attachment 134186 [details, diff] str2561-cups11v2.patch
Created attachment 134187 [details, diff] str2561-cups12v2.patch
Created attachment 134188 [details, diff] str2561-cups13v2.patch
Hi Genstef, if you want stable testing before the disclosure date please attach updated ebuilds to this bug. Do not commit anything yet.
public now. printing, any news here?
*** Bug 197868 has been marked as a duplicate of this bug. ***
Printing please advise.
Bumped versions for cups 1.1 and 1.2 which apply the patch for CVE-2007-4351: cups-1.1.23-r9.ebuild cups-1.2.12-r2.ebuild Added new upstream version for cups 1.3 and removed the vulnerable cups-1.3.3.ebuild from the tree: cups-1.3.4.ebuild
I removed the cups-1.1 fixed ebuild again and made sure that its obvious that 1.1 is unmaintained and suffers from more bugs. Sorry for the confusion ..
Arches, please test and mark stable net-print/cups-1.2.12-r2. Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Sparc stable.
x86 stable
ppc64 stable
Stable for HPPA.
ppc stable
amd64 done.
alpha/ia64 stable, thanks Tobias
GLSA 200711-16, sorry for the delay.
mips stable.