CVE-2010-0302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0302): Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553.
CVE-2010-0393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0393): The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS 1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers.
There are some upstream patches available, not sure if they are already applied: http://cups.org/strfiles/3490/0001-More-complete-fix-for-CVE-2009-3553.patch http://www.cups.org/str.php?L3482
(In reply to comment #0) > CVE-2010-0302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0302): > Use-after-free vulnerability in the abstract file-descriptor handling > interface in the cupsdDoSelect function in scheduler/select.c in the > scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when > kqueue or epoll is used, allows remote attackers to cause a denial of > service (daemon crash or hang) via a client disconnection during > listing of a large number of print jobs, related to improperly > maintaining a reference count. NOTE: some of these details are > obtained from third party information. NOTE: this vulnerability > exists because of an incomplete fix for CVE-2009-3553. Just going after the version numbers, this should be fixed in the tree versions (1.3.11 and 1.4.6). (In reply to comment #1) > CVE-2010-0393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0393): > The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS > 1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to > determine the file that provides localized message strings, which > allows local users to gain privileges via a file that contains > crafted localization data with format string specifiers. Dito.
CVE-2010-0302 is fixed in 1.4.4 per: http://cups.org/articles.php?L596 CVE-2010-0393 was fixed in 1.4.3 per: http://cups.org/articles.php?L594 I do not see reference to either issue being fixed in 1.3.11 per http://cups.org/articles.php?L586. Please let me know if I am missing something. Thanks.
Fixed in net-print/cups-1.4.6-r2 via bug 333781. GLSA Vote: yes.
Vote: YES. Added to pending GLSA request.
No vulnerable version in the tree anymore.
This issue was resolved and addressed in GLSA 201207-10 at http://security.gentoo.org/glsa/glsa-201207-10.xml by GLSA coordinator Sean Amoss (ackle).
