Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 308045 (CVE-2010-0302)

Summary: <net-print/cups-1.4.6-r2: multiple vulnerabilites (CVE-2010-{0302,0393})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=557775
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 333781    
Bug Blocks:    

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:33:06 UTC 
CVE-2010-0302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0302):
  Use-after-free vulnerability in the abstract file-descriptor handling
  interface in the cupsdDoSelect function in scheduler/select.c in the
  scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when
  kqueue or epoll is used, allows remote attackers to cause a denial of
  service (daemon crash or hang) via a client disconnection during
  listing of a large number of print jobs, related to improperly
  maintaining a reference count.  NOTE: some of these details are
  obtained from third party information.  NOTE: this vulnerability
  exists because of an incomplete fix for CVE-2009-3553.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:47:32 UTC 
CVE-2010-0393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0393):
  The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS
  1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to
  determine the file that provides localized message strings, which
  allows local users to gain privileges via a file that contains
  crafted localization data with format string specifiers.
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 11:06:54 UTC 
There are some upstream patches available, not sure if they are already applied:

http://cups.org/strfiles/3490/0001-More-complete-fix-for-CVE-2009-3553.patch
http://www.cups.org/str.php?L3482
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2011-06-05 18:42:18 UTC 
(In reply to comment #0)
> CVE-2010-0302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0302):
>   Use-after-free vulnerability in the abstract file-descriptor handling
>   interface in the cupsdDoSelect function in scheduler/select.c in the
>   scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when
>   kqueue or epoll is used, allows remote attackers to cause a denial of
>   service (daemon crash or hang) via a client disconnection during
>   listing of a large number of print jobs, related to improperly
>   maintaining a reference count.  NOTE: some of these details are
>   obtained from third party information.  NOTE: this vulnerability
>   exists because of an incomplete fix for CVE-2009-3553.

Just going after the version numbers, this should be fixed in the tree versions (1.3.11 and 1.4.6).

(In reply to comment #1)
> CVE-2010-0393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0393):
>   The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS
>   1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to
>   determine the file that provides localized message strings, which
>   allows local users to gain privileges via a file that contains
>   crafted localization data with format string specifiers.

Dito.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-06-12 18:54:08 UTC 
CVE-2010-0302 is fixed in 1.4.4 per: http://cups.org/articles.php?L596
CVE-2010-0393 was fixed in 1.4.3 per: http://cups.org/articles.php?L594

I do not see reference to either issue being fixed in 1.3.11 per http://cups.org/articles.php?L586. Please let me know if I am missing something. Thanks.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 15:50:08 UTC 
Fixed in net-print/cups-1.4.6-r2 via bug 333781. GLSA Vote: yes.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:08:47 UTC 
Vote: YES. Added to pending GLSA request.
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2012-01-15 20:42:35 UTC 
No vulnerable version in the tree anymore.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 23:37:10 UTC 
This issue was resolved and addressed in
 GLSA 201207-10 at http://security.gentoo.org/glsa/glsa-201207-10.xml
by GLSA coordinator Sean Amoss (ackle).