Secunia Research has discovered a vulnerability in CUPS, which can be
exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error within the
"ippReadIO()" function in cups/ipp.c when processing IPP (Internet
Printing Protocol) tags. This can be exploited to overwrite one byte on
the stack with a zero by sending an IPP request containing specially
crafted "textWithLanguage" or "nameWithLanguage" tags.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 1.3.3. Other versions may also
The vulnerability is caused by the missing check for the text-length
field at line 1430 in cups/ipp.c from cups-1.3.3.
The vulnerability can be reproduced by sending a specially crafted
IPP request specifying an IPP tag equal to 0x35 (IPP_TAG_TEXTLANG),
containing an overly large text-length value (e.g. 33035).
We have assigned this vulnerability Secunia advisory SA27233 and CVE
Disclosure date: As soon as the vendor releases a patch, or 2007-10-31.
Note that this may be changed if the vendor requests it.
Alin Rad Pop, Secunia Research.
Created attachment 134186 [details, diff]
Created attachment 134187 [details, diff]
Created attachment 134188 [details, diff]
Hi Genstef, if you want stable testing before the disclosure date please attach updated ebuilds to this bug. Do not commit anything yet.
public now. printing, any news here?
*** Bug 197868 has been marked as a duplicate of this bug. ***
Printing please advise.
Bumped versions for cups 1.1 and 1.2 which apply the patch for CVE-2007-4351:
Added new upstream version for cups 1.3 and removed the vulnerable cups-1.3.3.ebuild from the tree:
I removed the cups-1.1 fixed ebuild again and made sure that its obvious that 1.1 is unmaintained and suffers from more bugs.
Sorry for the confusion ..
Arches, please test and mark stable net-print/cups-1.2.12-r2.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
alpha/ia64 stable, thanks Tobias
GLSA 200711-16, sorry for the delay.