Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 196736 - net-print/cups < 1.2.12-r2 IPP Tags Memory Corruption Vulnerability (CVE-2007-4351)
Summary: net-print/cups < 1.2.12-r2 IPP Tags Memory Corruption Vulnerability (CVE-2007...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1? [glsa]
: 197868 (view as bug list)
Depends on:
Reported: 2007-10-22 20:01 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2008-01-10 09:02 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

str2561-cups11v2.patch (str2561-cups11v2.patch,3.72 KB, patch)
2007-10-23 18:50 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
str2561-cups12v2.patch (str2561-cups12v2.patch,3.78 KB, patch)
2007-10-23 18:50 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
str2561-cups13v2.patch (str2561-cups13v2.patch,3.78 KB, patch)
2007-10-23 18:50 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-22 20:01:50 UTC
Secunia Research has discovered a vulnerability in CUPS, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"ippReadIO()" function in cups/ipp.c when processing IPP (Internet
Printing Protocol) tags. This can be exploited to overwrite one byte on
the stack with a zero by sending an IPP request containing specially
crafted "textWithLanguage" or "nameWithLanguage" tags.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 1.3.3. Other versions may also
be affected.

Vulnerability Details:

The vulnerability is caused by the missing check for the text-length
field at line 1430 in cups/ipp.c from cups-1.3.3.


The vulnerability can be reproduced by sending a specially crafted
IPP request specifying an IPP tag equal to 0x35 (IPP_TAG_TEXTLANG),
containing an overly large text-length value (e.g. 33035). 

Closing comments:

We have assigned this vulnerability Secunia advisory SA27233 and CVE
identifier CVE-2007-4351.

Upstream contacted.
Disclosure date: As soon as the vendor releases a patch, or 2007-10-31.
                 Note that this may be changed if the vendor requests it.

Alin Rad Pop, Secunia Research.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-23 18:50:09 UTC
Created attachment 134186 [details, diff]
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-23 18:50:15 UTC
Created attachment 134187 [details, diff]
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-23 18:50:20 UTC
Created attachment 134188 [details, diff]
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-23 18:53:14 UTC
Hi Genstef, if you want stable testing before the disclosure date please attach updated ebuilds to this bug. Do not commit anything yet.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-01 14:26:18 UTC
public now. printing, any news here?
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2007-11-02 12:57:54 UTC
*** Bug 197868 has been marked as a duplicate of this bug. ***
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-11-05 07:50:54 UTC
Printing please advise.
Comment 8 Timo Gurr (RETIRED) gentoo-dev 2007-11-05 19:17:02 UTC
Bumped versions for cups 1.1 and 1.2 which apply the patch for CVE-2007-4351:


Added new upstream version for cups 1.3 and removed the vulnerable cups-1.3.3.ebuild from the tree:

Comment 9 Stefan Schweizer (RETIRED) gentoo-dev 2007-11-05 20:01:32 UTC
I removed the cups-1.1 fixed ebuild again and made sure that its obvious that 1.1 is unmaintained and suffers from more bugs.

Sorry for the confusion ..
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-11-05 20:16:25 UTC
Arches, please test and mark stable net-print/cups-1.2.12-r2.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Comment 11 Ferris McCormick (RETIRED) gentoo-dev 2007-11-05 20:52:34 UTC
Sparc stable.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-06 07:25:57 UTC
x86 stable
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-11-06 07:59:10 UTC
ppc64 stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-06 16:15:39 UTC
Stable for HPPA.
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-06 17:50:36 UTC
ppc stable
Comment 16 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-11-09 22:16:01 UTC
amd64 done.
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2007-11-10 14:49:24 UTC
alpha/ia64 stable, thanks Tobias
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-12 22:00:00 UTC
GLSA 200711-16, sorry for the delay.
Comment 19 Joshua Kinard gentoo-dev 2007-11-20 03:07:05 UTC
mips stable.