Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 263070 (CVE-2009-0163) - <net-print/cups-1.3.10 Multiple vulnerabilities (CVE-2009-{0163,0164})
Summary: <net-print/cups-1.3.10 Multiple vulnerabilities (CVE-2009-{0163,0164})
Status: RESOLVED FIXED
Alias: CVE-2009-0163
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.cups.org/articles.php?L582
Whiteboard: A2? [glsa]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2009-03-19 19:38 UTC by Alex Legler (RETIRED)
Modified: 2009-04-29 15:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch for CVE-2009-0163 (cups-CVE-2009-0163.patch,556 bytes, patch)
2009-03-19 19:53 UTC, Alex Legler (RETIRED)
no flags Details | Diff
Patch for CVE-2009-0164 (cups-CVE-2009-0164.patch,13.84 KB, patch)
2009-03-19 19:54 UTC, Alex Legler (RETIRED)
no flags Details | Diff
Patch for issue #3: Makes cups use external pdftops (cups-str3129.patch,16.89 KB, patch)
2009-03-19 19:56 UTC, Alex Legler (RETIRED)
no flags Details | Diff
Revised patch for CVE-2009-0164 (cups-CVE-2009-0164.patch,16.47 KB, patch)
2009-04-02 10:05 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
cups-1.3.9-r2.tar.bz2 (cups-1.3.9-r2.tar.bz2,13.00 KB, application/octet-stream)
2009-04-07 11:49 UTC, Timo Gurr (RETIRED)
no flags Details
cups-1.3.9-CVE-2009-0163.patch [with unix newlines that patch accepts] (cups-1.3.9-CVE-2009-0163.patch,563 bytes, patch)
2009-04-13 03:25 UTC, Jeroen Roovers
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-19 19:38:59 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Drew Yao and Aaron Sigel of Apple Product Security disclosed multiple vulnerabilities in CUPS:

CVE-2009-0163: Heap-based buffer overflow in the "imagetops" filter (_cupsImageReadTIFF()), possibly leading to the execution of arbitrary code.

CVE-2009-0164: The web interface is vulnerable to DNS rebinding attacks.

CUPS is vulnerable to the isuses found in xpdf/poppler (CVE-2009-0166, CVE-2009-0146, CVE-2009-0147) as well. CUPS 1.3.10 will resolve this by removing the internal filter and call the system-installed pdftops.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-19 19:46:13 UTC
No commits into CVS, please. I'll add patches, we can do prestabling here.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-19 19:53:00 UTC
Created attachment 185565 [details, diff]
Patch for CVE-2009-0163
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-19 19:54:35 UTC
Created attachment 185566 [details, diff]
Patch for CVE-2009-0164

This patch introduces host header validation and a new configuration option "ServerAlias".
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-19 19:56:30 UTC
Created attachment 185568 [details, diff]
Patch for issue #3: Makes cups use external pdftops
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 10:05:15 UTC
Created attachment 187055 [details, diff]
Revised patch for CVE-2009-0164

Upstream revised the patch and added documentation updates for the user impact of the DNS rebinding protection.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-04-06 10:18:12 UTC
embargo is probably going to be postponed to 2009-04-16
Comment 7 Timo Gurr (RETIRED) gentoo-dev 2009-04-07 11:49:00 UTC
Created attachment 187556 [details]
cups-1.3.9-r2.tar.bz2

Tarballs includes only new files, just copy into your local tree and manifest.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-04-12 17:23:49 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, tester
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : fmccor
     x86 : armin76, maekke
Comment 9 Jeroen Roovers gentoo-dev 2009-04-13 03:25:48 UTC
Created attachment 188179 [details, diff]
cups-1.3.9-CVE-2009-0163.patch [with unix newlines that patch accepts]

The tarball contains a "files/cups-1.3.9-CVE-2009-0163.patch" [noeol][dos] (according to vim) that patch doesn't accept.
Comment 10 Jeroen Roovers gentoo-dev 2009-04-13 04:03:18 UTC
(In reply to comment #9)
> Created an attachment (id=188179) [edit]
> cups-1.3.9-CVE-2009-0163.patch [with unix newlines that patch accepts]
> 
> The tarball contains a "files/cups-1.3.9-CVE-2009-0163.patch" [noeol][dos]
> (according to vim) that patch doesn't accept.

With that in place, HPPA is OK.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 21:54:13 UTC
this is now public. cups 1.3.10 fixes the issue.

Feel free to either bump to the prestable tested version, or to the version bump since only hppa replied (thanks Jeroen! I know I can count on you :-)
Comment 12 Timo Gurr (RETIRED) gentoo-dev 2009-04-17 01:19:18 UTC
I've just committed cups-1.3.10.ebuild to the tree.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-04-17 09:29:51 UTC
Arches, please test and mark stable:
=net-print/cups-1.3.10
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 14 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2009-04-17 22:41:00 UTC
amd64 stable
Comment 15 Markus Meier gentoo-dev 2009-04-18 12:02:51 UTC
x86 stable
Comment 16 Brent Baude (RETIRED) gentoo-dev 2009-04-18 13:14:43 UTC
ppc64 done
Comment 17 Brent Baude (RETIRED) gentoo-dev 2009-04-18 13:14:50 UTC
ppc done
Comment 18 Jeroen Roovers gentoo-dev 2009-04-18 17:05:25 UTC
Stable for HPPA.
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2009-04-20 15:55:34 UTC
arm/ia64/m68k/s390/sh/sparc stable
Comment 20 Tobias Klausmann gentoo-dev 2009-04-21 19:30:48 UTC
Stable on alpha.
Comment 21 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-21 19:40:31 UTC
glsa already filed by a3li.
Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-23 21:57:44 UTC
GLSA 200904-20
Comment 23 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-29 15:46:26 UTC
CVE-2009-0163 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0163):
  Integer overflow in the TIFF image decoding routines in CUPS 1.3.9
  and earlier allows remote attackers to cause a denial of service
  (daemon crash) and possibly execute arbitrary code via a crafted TIFF
  image, which is not properly handled by the (1) _cupsImageReadTIFF
  function in the imagetops filter and (2) imagetoraster filter,
  leading to a heap-based buffer overflow.

CVE-2009-0164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0164):
  The web interface for CUPS before 1.3.10 does not validate the HTTP
  Host header in a client request, which makes it easier for remote
  attackers to conduct DNS rebinding attacks.