OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: CUPS DoS Bugs
From: Jeff Licquia (jeffLUCI.ORG)
Date: Tue Jun 20 2000 - 13:20:02 CDT

A Debian user (thanks, Alexander Hvostov!) reported a DoS bug in
Debian's CUPS packages (cupsys). After working with the vendor on the
issue, they subsequently discovered a few more. The original bug, at
least, is remotely exploitable. The beta versions of CUPS 1.1 are not
vulnurable, at least since beta 3.

A patch is available from Easy Software Products at:

  ftp://ftp.easysw.com/pub/cups/1.0.5

Debian 2.1 ("slink") is unaffected, as it does not include the cupsys
packages. Debian 2.2 ("potato") and Debian unstable ("woody") are
affected. The fixed packages are version 1.0.4-7; they will be
installed as part of the next Test Cycle for potato. They are also
available (for i386) at:

  http://www.debian.org/~licquia/cupsys_1.0.4-7_i386.deb
  http://www.debian.org/~licquia/cupsys-bsd_1.0.4-7_i386.deb
  http://www.debian.org/~licquia/libcupsys1_1.0.4-7_i386.deb
  http://www.debian.org/~licquia/libcupsys1-dev_1.0.4-7_i386.deb

For other architectures (or if you prefer building from source), here
is the patch to build the packages:

  http://www.debian.org/~licquia/cupsys_1.0.4-7.diff.gz

My thanks to the original reporter of the bug, Alexander Hvostov, for
his patience, and to Easy Software Products and Michael Sweet for
being both responsive and responsible.

Here is the blurb from the top of the vendor patch file:
-----

CUPS 1.0.5 Denial of Service Patch Set #1 - 06/16/2000
------------------------------------------------------

This patch file fixes potential Denial-of-Service bugs in CUPS 1.0.5.
These fixes are also part of CUPS 1.1b3 and beyond.

Specific DoS fixes:

    - Malformed IPP requests could crash cupsd.
    - Standard CGI form POSTs could crash cupsd.
    - The cupsd program did not always delete request files when
      needed.
    - Authenticating with a non-existent user or a user with
      no shadow password could crash cupsd.

This patch set also includes:

    - cupsSystem() didn't close the cupsd.conf file.
    - The texttops filter made underlines that were too
      thick.
    - The lpstat command didn't show a device for remote
      printers, and would stop the listing prematurely.
    - The lpstat command didn't show printers after the
      first printer with an active job.
    - Remote raw IPP printing didn't pass the raw option
      properly.

Please report any problems with this patch to "cups-supportcups.org".

  • application/pgp-signature attachment: stored