Date: Wed, 19 Nov 2008 17:54:49 -0800 From: Michael Sweet <mike@...ysw.com> To: Eygene Ryabinkin <rea-sec@...elabs.ru> CC: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...re.org> Subject: Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin wrote: > Josh, Mike, *, good day. > > Wed, Nov 19, 2008 at 03:14:43PM -0500, Josh Bressers wrote: >> So from looking at cups 1.3.7 on Fedora 8, here is what I see: >> >> (gdb) bt >> #0 create_subscription (con=0xb88975c0, uri=0xb889ae00) at ipp.c:5858 >> #1 0xb7facba7 in cupsdProcessIPPRequest (con=0xb88975c0) at ipp.c:615 >> #2 0xb7f88bfc in cupsdReadClient (con=0xb88975c0) at client.c:2253 >> #3 0xb7fc0606 in cupsdDoSelect (timeout=1) at select.c:537 >> #4 0xb7f98710 in main (argc=1, argv=0xbfdd6194) at main.c:817 >> (gdb) list >> 5853 else if (printer) >> 5854 cupsdLogMessage(CUPSD_LOG_DEBUG, >> 5855 "Added subscription %d for printer \"%s\"", >> 5856 sub->id, printer->name); >> 5857 else >> 5858 cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for server", >> 5859 sub->id); >> 5860 >> 5861 sub->interval = interval; >> 5862 sub->lease = lease; >> (gdb) print sub >> $1 = (cupsd_subscription_t *) 0x0 >> >> It would appear to be a NULL pointer dereference. It seems that this call a >> few lines above the snippet shown above: >> sub = cupsdAddSubscription(mask, printer, job, recipient, 0); >> >> will return NULL when the hardcoded value of 100 subscriptions is hit. > > Not really hardcoded -- it is settable with the 'MaxSubscriptions' > directive. I had just reproduced the bug with CUPS 1.3.9 at FreeBSD. > MaxSubscriptions was set to 3 to ease the PoC. Just repeated > invocations of 'lpr -m <somefile>' were crashing cups daemon > reproducibly. > > The attached patch fixes the things for me, but perhaps it needs > some more polishing. Will try to take a fresh look at this tomorrow. > > Mike, please, take a look at this! You'll find a much more complete patch already in CUPS svn for both 1.3.x and 1.4.x, along with a new subscription test for the "make check" target. I didn't withhold the patch since the browser attack vector was closed in 1.3.8... I've attached my 1.3.x patch... -- ______________________________________________________________________ Michael Sweet, Easy Software Products mike at easysw dot com View attachment "cups-1.3-max-subscriptions.patch" of type "text/plain" (5341 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ