Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308045 (CVE-2010-0302) - <net-print/cups-1.4.6-r2: multiple vulnerabilites (CVE-2010-{0302,0393})
Summary: <net-print/cups-1.4.6-r2: multiple vulnerabilites (CVE-2010-{0302,0393})
Status: RESOLVED FIXED
Alias: CVE-2010-0302
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa]
Keywords:
Depends on: cups-1.4
Blocks:
  Show dependency tree
 
Reported: 2010-03-06 15:33 UTC by Stefan Behte (RETIRED)
Modified: 2012-07-09 23:37 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:33:06 UTC
CVE-2010-0302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0302):
  Use-after-free vulnerability in the abstract file-descriptor handling
  interface in the cupsdDoSelect function in scheduler/select.c in the
  scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when
  kqueue or epoll is used, allows remote attackers to cause a denial of
  service (daemon crash or hang) via a client disconnection during
  listing of a large number of print jobs, related to improperly
  maintaining a reference count.  NOTE: some of these details are
  obtained from third party information.  NOTE: this vulnerability
  exists because of an incomplete fix for CVE-2009-3553.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:47:32 UTC
CVE-2010-0393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0393):
  The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS
  1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to
  determine the file that provides localized message strings, which
  allows local users to gain privileges via a file that contains
  crafted localization data with format string specifiers.

Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 11:06:54 UTC
There are some upstream patches available, not sure if they are already applied:

http://cups.org/strfiles/3490/0001-More-complete-fix-for-CVE-2009-3553.patch
http://www.cups.org/str.php?L3482
Comment 3 Andreas K. Hüttel gentoo-dev 2011-06-05 18:42:18 UTC
(In reply to comment #0)
> CVE-2010-0302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0302):
>   Use-after-free vulnerability in the abstract file-descriptor handling
>   interface in the cupsdDoSelect function in scheduler/select.c in the
>   scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when
>   kqueue or epoll is used, allows remote attackers to cause a denial of
>   service (daemon crash or hang) via a client disconnection during
>   listing of a large number of print jobs, related to improperly
>   maintaining a reference count.  NOTE: some of these details are
>   obtained from third party information.  NOTE: this vulnerability
>   exists because of an incomplete fix for CVE-2009-3553.

Just going after the version numbers, this should be fixed in the tree versions (1.3.11 and 1.4.6).

(In reply to comment #1)
> CVE-2010-0393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0393):
>   The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS
>   1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to
>   determine the file that provides localized message strings, which
>   allows local users to gain privileges via a file that contains
>   crafted localization data with format string specifiers.

Dito.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-06-12 18:54:08 UTC
CVE-2010-0302 is fixed in 1.4.4 per: http://cups.org/articles.php?L596
CVE-2010-0393 was fixed in 1.4.3 per: http://cups.org/articles.php?L594

I do not see reference to either issue being fixed in 1.3.11 per http://cups.org/articles.php?L586. Please let me know if I am missing something. Thanks.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 15:50:08 UTC
Fixed in net-print/cups-1.4.6-r2 via bug 333781. GLSA Vote: yes.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:08:47 UTC
Vote: YES. Added to pending GLSA request.
Comment 7 Andreas K. Hüttel gentoo-dev 2012-01-15 20:42:35 UTC
No vulnerable version in the tree anymore.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 23:37:10 UTC
This issue was resolved and addressed in
 GLSA 201207-10 at http://security.gentoo.org/glsa/glsa-201207-10.xml
by GLSA coordinator Sean Amoss (ackle).