Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 295256 (CVE-2009-3553)

Summary: <net-print/cups-1.3.11-r2 File descriptor handling Use-after-free (crash) (CVE-2009-3553)
Product: Gentoo Security Reporter: Timo Gurr (RETIRED) <tgurr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: bugs, pacho
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=530111
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Timo Gurr (RETIRED) gentoo-dev 2009-11-30 22:32:11 UTC 
An use-after-free flaw was found in the way CUPS handled references in its
file descriptors handling interface. A remote attacker could, in a
specially-crafted way, query for the list of current print jobs for a
specific printer, leading to a denial of service (cupsd crash).

Upstream bug report:
-------------------
http://www.cups.org/str.php?L3200

Reproducer from upstream STR#3200 issue:
----------------------------------------
1. produce 300 active jobs on the CUPS server.
2. extract client.zip to any directory
3. execute: java -cp "cups-java-client-1.3.jar";. TestCupsGetJobs 10.236.33.136
  (replace 10.236.33.136 with your server address)


Suggestion (tgurr):
-------
Stabilize =net-print/cups-1.3.11-r2 which has the security patches provided by
upstream applied (Note: =net-print/cups-1.4.2-r1 is patched as well).

NOTE: Please delete your already downloaded cups-1.3.11-source.tar.bz2 from distfiles when stabilizing because of upstream tarball ping-pong ...
Wrong size:   DIST cups-1.3.11-source.tar.bz2 3799424 RMD160
Correct size: DIST cups-1.3.11-source.tar.bz2 3799393 RMD160
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-01 06:29:42 UTC 
CVE-2009-3553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3553):
  Use-after-free vulnerability in the abstract file-descriptor handling
  interface in the cupsdDoSelect function in scheduler/select.c in the
  scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers
  to cause a denial of service (daemon crash or hang) via a client
  disconnection during listing of a large number of print jobs, related
  to improperly maintaining a reference count.  NOTE: some of these
  details are obtained from third party information.
Comment 2 Kelly Price 2010-01-10 22:51:11 UTC 
The new file size breaks net-print/cups-1.3.11-r1.  Trying out the -r2.
Comment 3 Pacho Ramos gentoo-dev 2010-07-03 10:46:26 UTC 
Why is net-print/cups-1.3.11-r2 not being stabilized?
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2010-07-03 12:35:29 UTC 
(In reply to comment #3)
> Why is net-print/cups-1.3.11-r2 not being stabilized?
> 

Because arches have not been added to CC, thanks! Doing so now.

Arches, please test and mark stable:
=net-print/cups-1.4.4
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-07-03 12:36:18 UTC 
Oops, wrong version, should have been:

Arches, please test and mark stable:
=net-print/cups-1.3.11-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-07-04 11:11:30 UTC 
x86 stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2010-07-08 16:15:03 UTC 
ppc64 done
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-10 17:54:24 UTC 
Stable for HPPA.
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2010-07-11 09:28:12 UTC 
Stable on alpha.
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2010-07-12 17:38:39 UTC 
amd64 done
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2010-07-17 16:39:16 UTC 
arm/ia64/m68k/s390/sh/sparc stable
Comment 12 Joe Jezak (RETIRED) gentoo-dev 2010-07-18 19:01:06 UTC 
Marked ppc stable.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:28:33 UTC 
xiexie, folks. GLSA request filed.
Comment 14 Andreas K. Hüttel archtester gentoo-dev 2011-06-03 21:43:55 UTC 
Thanks guys. No vulnerable version left in the tree. 
Nothing left to do for printing.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 23:37:08 UTC 
This issue was resolved and addressed in
 GLSA 201207-10 at http://security.gentoo.org/glsa/glsa-201207-10.xml
by GLSA coordinator Sean Amoss (ackle).