[Pkg-cups-devel] cupsys: CVE-2008-{0047,0882}

Martin Pitt mpitt at debian.org
Sat Mar 22 12:28:00 UTC 2008 

Hi security team,

(CCing Ubuntu security team, since the patches apply to Ubuntu
stables as well).

I prepared an updated etch-security package for two recent CUPS
vulnerabilities:

* CVE-2008-0047:
  Heap-based buffer overflow in CUPS, when printer sharing is enabled,
  allows remote attackers to execute arbitrary code via crafted search
  expressions.

  Upstream: http://www.cups.org/str.php?L2729 (not public yet)
  Debian bug: http://bugs.debian.org/472105
  Debian fixed version: 1.3.6-3 (just uploaded to unstable, not in testing yet)
  Ubuntu Hardy fixed version: 1.3.6-3ubuntu1

* CVE-2008-0882:
  Double free vulnerability in the process_browse_data function in CUPS
  1.3.5 allows remote attackers to cause a denial of service (daemon
  crash) and possibly execute arbitrary code via crafted packets to the
  cupsd port (631/udp), related to an unspecified manipulation of a
  remote printer.

  Upstream: http://www.cups.org/str.php?L2656
  Debian bug: http://bugs.debian.org/467653
  Debian fixed version: 1.3.6-1 (unstable and testing)
  Ubuntu Hardy fixed version: 1.3.6-1ubuntu1

Tested debdiff for 1.2.7-4etch2 -> 1.2.7-4etch3 attached. This also
contains a tiny fix to make the test suite work. It does not affect
the binaries in any way (test suite is not shipped), and helps to make
the test suite run at all. BTW, it fails on two tests, I did not fix
that for stables; it's fixed in unstable.). I can back it out again if
you really want to, but I recommend to keep it.

Thanks,

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
diff -u cupsys-1.2.7/debian/patches/00list cupsys-1.2.7/debian/patches/00list
--- cupsys-1.2.7/debian/patches/00list
+++ cupsys-1.2.7/debian/patches/00list
@@ -46,3 +46,2 @@
-
-
-
+72_CVE-2008-0047.dpatch
+73_CVE-2008-0882.dpatch
diff -u cupsys-1.2.7/debian/patches/47_pid.dpatch cupsys-1.2.7/debian/patches/47_pid.dpatch
--- cupsys-1.2.7/debian/patches/47_pid.dpatch
+++ cupsys-1.2.7/debian/patches/47_pid.dpatch
@@ -103,0 +104,11 @@
+--- cupsys-1.2.6/test/run-stp-tests.sh        2007-07-11 23:46:42.000000000 +0200
++++ cupsys-1.2.6/test/run-stp-tests.sh 2008-03-16 14:26:48.000000000 +0100
+@@ -302,6 +302,7 @@
+ DocumentRoot $root/doc
+ RequestRoot /tmp/cups-$user/spool
+ TempDir /tmp/cups-$user/spool/temp
++PidFile /tmp/cups-$user/cupsd.pid
+ MaxLogSize 0
+ AccessLog /tmp/cups-$user/log/access_log
+ ErrorLog /tmp/cups-$user/log/error_log
+
diff -u cupsys-1.2.7/debian/changelog cupsys-1.2.7/debian/changelog
--- cupsys-1.2.7/debian/changelog
+++ cupsys-1.2.7/debian/changelog
@@ -1,3 +1,19 @@
+cupsys (1.2.7-4etch3) stable-security; urgency=low
+
+  * Add 72_CVE-2008-0047.dpatch:  Fix buffer overflow in cgiCompileSearch()
+    using crafted search expressions. Exploitable if printer sharing is
+    enabled. (CVE-2008-0047, STR #2729, Closes: #472105)
+  * Add 73_CVE-2008-0882.dpatch: Fix double-free in process_browse_data(),
+    which could be exploited to a remote DoS by sending crafted data to the
+    cups UDP port. Thanks to Nico Golde for the report and dpatchifying!
+    (CVE-2008-0882, STR #2656, Closes: #467653)
+  * 47_pid.dpatch: Specify PidFile in temporary directory in the self test's
+    cupsd.conf. This affects the test suite (in the sense that it actually
+    works now) and does not affect the built binaries at all. (Backported from
+    trunk).
+
+ -- Martin Pitt <mpitt at debian.org>  Sat, 22 Mar 2008 13:12:42 +0100
+
 cupsys (1.2.7-4etch2) stable-security; urgency=low
 
   * Fix CVE-2007-5849 and CVE-2007-6358.
only in patch2:
unchanged:
--- cupsys-1.2.7.orig/debian/patches/72_CVE-2008-0047.dpatch
+++ cupsys-1.2.7/debian/patches/72_CVE-2008-0047.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cgiCompileSearch_buffer_overflow.dpatch by  <mpitt at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix buffer overflow in cgiCompileSearch() when using crafted search
+## DP: queries, when printer sharing is enabled. (CVE-2008-0047, STR #2729)
+
+ at DPATCH@
+diff -urNad trunk~/cgi-bin/search.c trunk/cgi-bin/search.c
+--- trunk~/cgi-bin/search.c	2008-01-16 23:20:33.000000000 +0100
++++ trunk/cgi-bin/search.c	2008-03-22 12:33:49.000000000 +0100
+@@ -167,7 +167,9 @@
+       * string + RE overhead...
+       */
+ 
+-      wlen = (sptr - s) + 4 * wlen + 2 * strlen(prefix) + 4;
++      wlen = (sptr - s) + 2 * 4 * wlen + 2 * strlen(prefix) + 11;
++      if (lword)
++        wlen += strlen(lword);
+ 
+       if (wlen > slen)
+       {
only in patch2:
unchanged:
--- cupsys-1.2.7.orig/debian/patches/73_CVE-2008-0882.dpatch
+++ cupsys-1.2.7/debian/patches/73_CVE-2008-0882.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2008-0882.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix double-free in process_browse_data(), which could be
+## DP: exploited to a remote DoS by sending crafted data to the cups
+## DP: UDP port. (CVE-2008-0882, STR #2656)
+
+ at DPATCH@
+diff -urNad cupsys-1.3.5~/scheduler/dirsvc.c cupsys-1.3.5/scheduler/dirsvc.c
+--- cupsys-1.3.5~/scheduler/dirsvc.c	2007-12-06 21:44:04.000000000 +0100
++++ cupsys-1.3.5/scheduler/dirsvc.c	2008-03-10 16:26:44.000000000 +0100
+@@ -1793,9 +1793,9 @@
+     if (hptr && !*hptr)
+       *hptr = '.';			/* Resource FQDN */
+ 
+-    if ((p = cupsdFindClass(name)) == NULL && BrowseShortNames)
++    if ((p = cupsdFindDest(name)) == NULL && BrowseShortNames)
+     {
+-      if ((p = cupsdFindClass(resource + 9)) != NULL)
++      if ((p = cupsdFindDest(resource + 9)) != NULL)
+       {
+         if (p->hostname && strcasecmp(p->hostname, host))
+ 	{
+@@ -1900,9 +1900,9 @@
+     if (hptr && !*hptr)
+       *hptr = '.';			/* Resource FQDN */
+ 
+-    if ((p = cupsdFindPrinter(name)) == NULL && BrowseShortNames)
++    if ((p = cupsdFindDest(name)) == NULL && BrowseShortNames)
+     {
+-      if ((p = cupsdFindPrinter(resource + 10)) != NULL)
++      if ((p = cupsdFindDest(resource + 10)) != NULL)
+       {
+         if (p->hostname && strcasecmp(p->hostname, host))
+ 	{
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-cups-devel/attachments/20080322/cfd74186/attachment.pgp

More information about the Pkg-cups-devel mailing list