Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 295256 (CVE-2009-3553) - <net-print/cups-1.3.11-r2 File descriptor handling Use-after-free (crash) (CVE-2009-3553)
Summary: <net-print/cups-1.3.11-r2 File descriptor handling Use-after-free (crash) (CV...
Alias: CVE-2009-3553
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2009-11-30 22:32 UTC by Timo Gurr (RETIRED)
Modified: 2012-07-09 23:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Timo Gurr (RETIRED) gentoo-dev 2009-11-30 22:32:11 UTC
An use-after-free flaw was found in the way CUPS handled references in its
file descriptors handling interface. A remote attacker could, in a
specially-crafted way, query for the list of current print jobs for a
specific printer, leading to a denial of service (cupsd crash).

Upstream bug report:

Reproducer from upstream STR#3200 issue:
1. produce 300 active jobs on the CUPS server.
2. extract to any directory
3. execute: java -cp "cups-java-client-1.3.jar";. TestCupsGetJobs
  (replace with your server address)

Suggestion (tgurr):
Stabilize =net-print/cups-1.3.11-r2 which has the security patches provided by
upstream applied (Note: =net-print/cups-1.4.2-r1 is patched as well).

NOTE: Please delete your already downloaded cups-1.3.11-source.tar.bz2 from distfiles when stabilizing because of upstream tarball ping-pong ...
Wrong size:   DIST cups-1.3.11-source.tar.bz2 3799424 RMD160
Correct size: DIST cups-1.3.11-source.tar.bz2 3799393 RMD160
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-01 06:29:42 UTC
CVE-2009-3553 (
  Use-after-free vulnerability in the abstract file-descriptor handling
  interface in the cupsdDoSelect function in scheduler/select.c in the
  scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers
  to cause a denial of service (daemon crash or hang) via a client
  disconnection during listing of a large number of print jobs, related
  to improperly maintaining a reference count.  NOTE: some of these
  details are obtained from third party information.

Comment 2 Kelly Price 2010-01-10 22:51:11 UTC
The new file size breaks net-print/cups-1.3.11-r1.  Trying out the -r2.
Comment 3 Pacho Ramos gentoo-dev 2010-07-03 10:46:26 UTC
Why is net-print/cups-1.3.11-r2 not being stabilized?
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2010-07-03 12:35:29 UTC
(In reply to comment #3)
> Why is net-print/cups-1.3.11-r2 not being stabilized?

Because arches have not been added to CC, thanks! Doing so now.

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-07-03 12:36:18 UTC
Oops, wrong version, should have been:

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-07-04 11:11:30 UTC
x86 stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2010-07-08 16:15:03 UTC
ppc64 done
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-10 17:54:24 UTC
Stable for HPPA.
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2010-07-11 09:28:12 UTC
Stable on alpha.
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2010-07-12 17:38:39 UTC
amd64 done
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2010-07-17 16:39:16 UTC
arm/ia64/m68k/s390/sh/sparc stable
Comment 12 Joe Jezak (RETIRED) gentoo-dev 2010-07-18 19:01:06 UTC
Marked ppc stable.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:28:33 UTC
xiexie, folks. GLSA request filed.
Comment 14 Andreas K. Hüttel archtester gentoo-dev 2011-06-03 21:43:55 UTC
Thanks guys. No vulnerable version left in the tree. 
Nothing left to do for printing.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 23:37:08 UTC
This issue was resolved and addressed in
 GLSA 201207-10 at
by GLSA coordinator Sean Amoss (ackle).