196736 – net-print/cups < 1.2.12-r2 IPP Tags Memory Corruption Vulnerability (CVE-2007-4351)

Bug 196736 - net-print/cups < 1.2.12-r2 IPP Tags Memory Corruption Vulnerability (CVE-2007-4351)

Summary: net-print/cups < 1.2.12-r2 IPP Tags Memory Corruption Vulnerability (CVE-2007...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B1? [glsa]
Keywords:

Duplicates (1):	197868 (view as bug list)
Depends on:
Blocks:

Reported:	2007-10-22 20:01 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2008-01-10 09:02 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
str2561-cups11v2.patch (str2561-cups11v2.patch,3.72 KB, patch) 2007-10-23 18:50 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details \| Diff
str2561-cups12v2.patch (str2561-cups12v2.patch,3.78 KB, patch) 2007-10-23 18:50 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details \| Diff
str2561-cups13v2.patch (str2561-cups13v2.patch,3.78 KB, patch) 2007-10-23 18:50 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-10-22 20:01:50 UTC

Secunia Research has discovered a vulnerability in CUPS, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"ippReadIO()" function in cups/ipp.c when processing IPP (Internet
Printing Protocol) tags. This can be exploited to overwrite one byte on
the stack with a zero by sending an IPP request containing specially
crafted "textWithLanguage" or "nameWithLanguage" tags.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 1.3.3. Other versions may also
be affected.

Vulnerability Details:
----------------------

The vulnerability is caused by the missing check for the text-length
field at line 1430 in cups/ipp.c from cups-1.3.3.

Exploitation:
-------------

The vulnerability can be reproduced by sending a specially crafted
IPP request specifying an IPP tag equal to 0x35 (IPP_TAG_TEXTLANG),
containing an overly large text-length value (e.g. 33035). 

Closing comments:
-----------------

We have assigned this vulnerability Secunia advisory SA27233 and CVE
identifier CVE-2007-4351.

Upstream contacted.
Disclosure date: As soon as the vendor releases a patch, or 2007-10-31.
                 Note that this may be changed if the vendor requests it.

Credits:
Alin Rad Pop, Secunia Research.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-10-23 18:50:09 UTC

Created attachment 134186 [details, diff]
str2561-cups11v2.patch

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-10-23 18:50:15 UTC

Created attachment 134187 [details, diff]
str2561-cups12v2.patch

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-10-23 18:50:20 UTC

Created attachment 134188 [details, diff]
str2561-cups13v2.patch

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-10-23 18:53:14 UTC

Hi Genstef, if you want stable testing before the disclosure date please attach updated ebuilds to this bug. Do not commit anything yet.

Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-11-01 14:26:18 UTC

public now. printing, any news here?

Comment 6 Jakub Moc (RETIRED) gentoo-dev

2007-11-02 12:57:54 UTC

*** Bug 197868 has been marked as a duplicate of this bug. ***

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-11-05 07:50:54 UTC

Printing please advise.

Comment 8 Timo Gurr (RETIRED) gentoo-dev

2007-11-05 19:17:02 UTC

Bumped versions for cups 1.1 and 1.2 which apply the patch for CVE-2007-4351:

cups-1.1.23-r9.ebuild
cups-1.2.12-r2.ebuild

Added new upstream version for cups 1.3 and removed the vulnerable cups-1.3.3.ebuild from the tree:

cups-1.3.4.ebuild

Comment 9 Stefan Schweizer (RETIRED) gentoo-dev

2007-11-05 20:01:32 UTC

I removed the cups-1.1 fixed ebuild again and made sure that its obvious that 1.1 is unmaintained and suffers from more bugs.

Sorry for the confusion ..

Comment 10 Robert Buchholz (RETIRED) gentoo-dev

2007-11-05 20:16:25 UTC

Arches, please test and mark stable net-print/cups-1.2.12-r2.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"

Comment 11 Ferris McCormick (RETIRED) gentoo-dev

2007-11-05 20:52:34 UTC

Sparc stable.

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2007-11-06 07:25:57 UTC

x86 stable

Comment 13 Markus Rothe (RETIRED) gentoo-dev

2007-11-06 07:59:10 UTC

ppc64 stable

Comment 14 Jeroen Roovers (RETIRED) gentoo-dev

2007-11-06 16:15:39 UTC

Stable for HPPA.

Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev

2007-11-06 17:50:36 UTC

ppc stable

Comment 16 Daniel Gryniewicz (RETIRED) gentoo-dev

2007-11-09 22:16:01 UTC

amd64 done.

Comment 17 Raúl Porcel (RETIRED) gentoo-dev

2007-11-10 14:49:24 UTC

alpha/ia64 stable, thanks Tobias

Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-11-12 22:00:00 UTC

GLSA 200711-16, sorry for the delay.

Comment 19 Joshua Kinard gentoo-dev

2007-11-20 03:07:05 UTC

mips stable.