Date: Wed, 20 Feb 2008 11:53:41 -0900 From: Jonathan Smith <smithj@...ethemallocs.com> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE request: cups -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, lets start actually using this list... below is an advisory from secunia detailing a cups DoS. Steve, could we get a CVE assigned? Attached is the patch upstream used to fix it (against 1.1.23, but it is the same for other versions, just with a different offset). smithj Secunia Security Advisories wrote: | TITLE: | CUPS "process_browse_data()" Double Free Vulnerability | | SECUNIA ADVISORY ID: | SA28994 | | VERIFY ADVISORY: | http://secunia.com/advisories/28994/ | | CRITICAL: | Moderately critical | | IMPACT: | DoS, System access | | WHERE: | From local network | | SOFTWARE: | CUPS 1.x | http://secunia.com/product/921/ | | DESCRIPTION: | A vulnerability has been discovered in CUPS, which can be exploited | by malicious people to cause a DoS (Denial of Service) or to | potentially compromise a vulnerable system. | | The vulnerability is caused due to an error within the | "process_browse_data()" function when adding printers and classes. | This can be exploited to free the same buffer twice by sending | specially crafted browser packets to the UDP port on which cupsd is | listening (by default port 631/UDP). | | Successful exploitation may allow execution of arbitrary code. | | The vulnerability is confirmed in version 1.3.5. Prior versions may | also be affected. | | SOLUTION: | Update to version 1.3.6. | | PROVIDED AND/OR DISCOVERED BY: | Reported as a CUPS bug by h.blischke. | | ORIGINAL ADVISORY: | http://www.cups.org/str.php?L2656 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (GNU/Linux) iEYEARECAAYFAke8k1UACgkQCG91qXPaRemo6ACgkzBRHnntL1EFvNm7vEjLVAna Ym0An2Ptrg2M20FJL7WX+XYVJCDENJO4 =iA0l -----END PGP SIGNATURE----- View attachment "cups-double-free.patch" of type "text/x-patch" (472 bytes) Download attachment "cups-double-free.patch.sig" of type "application/pgp-signature" (72 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ