Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 325551 (CVE-2010-0540)

Summary: <net-print/cups-1.4.6-r2: multiple vulnerabilities (CVE-2010-{0540,0542,1748,2431,2432,2941})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jaak
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://support.apple.com/kb/HT4188
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 333781    
Bug Blocks:    

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 19:21:38 UTC
CVE-2010-0540 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0540):
  Cross-site request forgery (CSRF) vulnerability in the web interface
  in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6
  before 10.6.4, and other platforms, allows remote attackers to hijack
  the authentication of administrators for requests that change
  settings.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 19:22:16 UTC
Please provide an updated ebuild.
Comment 2 Jaak Ristioja 2010-06-25 19:26:59 UTC
(In reply to comment #1)
> Please provide an updated ebuild.
> 

Isn't net-print/cups-1.4.4 already in portage?
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:36:59 UTC
CVE-2010-0540 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0540):
  Cross-site request forgery (CSRF) vulnerability in the web interface
  in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6
  before 10.6.4, and other platforms, allows remote attackers to hijack
  the authentication of administrators for requests that change
  settings.

CVE-2010-1748 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1748):
  The cgi_initialize_string function in cgi-bin/var.c in the web
  interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac
  OS X 10.6 before 10.6.4, and other platforms, does not properly
  handle parameter values containing a % (percent) character without
  two subsequent hex characters, which allows context-dependent
  attackers to obtain sensitive information from cupsd process memory
  via a crafted request, as demonstated by the (1)
  /admin?OP=redirect&URL=% and (2) /admin?URL=/admin/&OP=% URIs.

CVE-2010-2431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2431):
  The cupsFileOpen function in CUPS before 1.4.4 allows local users,
  with lp group membership, to overwrite arbitrary files via a symlink
  attack on the (1) /var/cache/cups/remote.cache or (2)
  /var/cache/cups/job.cache file.

CVE-2010-2431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2431):
  The cupsFileOpen function in CUPS before 1.4.4 allows local users,
  with lp group membership, to overwrite arbitrary files via a symlink
  attack on the (1) /var/cache/cups/remote.cache or (2)
  /var/cache/cups/job.cache file.

CVE-2010-2432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2432):
  The cupsDoAuthentication function in auth.c in the client in CUPS
  before 1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a
  demand for authorization, which allows remote CUPS servers to cause a
  denial of service (infinite loop) via HTTP_UNAUTHORIZED responses.

Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-26 12:25:09 UTC
cups team, how do you want to proceed here? Is stabilizing 1.4.4 an option? If no, an updated 1.3.x ebuild would be necessary.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:58:58 UTC
*ping*
Comment 6 Timo Gurr (RETIRED) gentoo-dev 2010-08-01 16:46:20 UTC
(In reply to comment #4)
> cups team, how do you want to proceed here? Is stabilizing 1.4.4 an option? If
> no, an updated 1.3.x ebuild would be necessary.
> 

cups-1.4.4 needs to get stabilized. I've had no time cleaning up the backlog of bugs, nor the time to check if something on the printing guide needs to be updated (libusb vs. usblp kernel module). Any help regarding this would be highly appreciated. The ebuild itself is in a good shape, most open bugs are plain driver issues and/or misconfigurations. The recently committed ghostscript-gpl-8.71-r5 should get stabilized along with it, it carries the change gs-std-fonts vs. urw-fonts over the last stable one (-r1) and -r5 also fixes a security issue (CVE-2010-1628).
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-01 23:14:20 UTC
CVE-2010-0542 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0542):
  The _WriteProlog function in texttops.c in texttops in the Text
  Filter subsystem in CUPS before 1.4.4 does not check the return
  values of certain calloc calls, which allows remote attackers to
  cause a denial of service (NULL pointer dereference or heap memory
  corruption) or possibly execute arbitrary code via a crafted file.

Comment 8 Tim Sammut (RETIRED) gentoo-dev 2010-11-26 21:42:55 UTC
Adding CVE-2010-2941, fixed in CUPS 1.4.5 (http://cups.org/articles.php?L597).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2941
ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory for attribute values with invalid string data types, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted IPP request. 

Changing whiteboard from B4 to B1 because of possible remote code execution.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-07-10 02:17:38 UTC
CVE-2010-2941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2941):
  ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory
  for attribute values with invalid string data types, which allows remote
  attackers to cause a denial of service (use-after-free and application
  crash) or possibly execute arbitrary code via a crafted IPP request.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 15:49:14 UTC
Fixed in net-print/cups-1.4.6-r2 via bug 333781. Added to existing GLSA request.
Comment 11 Andreas K. Hüttel archtester gentoo-dev 2012-01-15 20:40:58 UTC
No vulnerable version in the tree anymore.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 23:37:12 UTC
This issue was resolved and addressed in
 GLSA 201207-10 at http://security.gentoo.org/glsa/glsa-201207-10.xml
by GLSA coordinator Sean Amoss (ackle).