Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Nov 2008 17:54:49 -0800
From: Michael Sweet <mike@...ysw.com>
To: Eygene Ryabinkin <rea-sec@...elabs.ru>
CC: oss-security@...ts.openwall.com, 
 "Steven M. Christey" <coley@...re.org>
Subject: Re: CVE request: CUPS DoS via RSS subscriptions

Eygene Ryabinkin wrote:
> Josh, Mike, *, good day.
> 
> Wed, Nov 19, 2008 at 03:14:43PM -0500, Josh Bressers wrote:
>> So from looking at cups 1.3.7 on Fedora 8, here is what I see:
>>
>> (gdb) bt
>> #0  create_subscription (con=0xb88975c0, uri=0xb889ae00) at ipp.c:5858
>> #1  0xb7facba7 in cupsdProcessIPPRequest (con=0xb88975c0) at ipp.c:615
>> #2  0xb7f88bfc in cupsdReadClient (con=0xb88975c0) at client.c:2253
>> #3  0xb7fc0606 in cupsdDoSelect (timeout=1) at select.c:537
>> #4  0xb7f98710 in main (argc=1, argv=0xbfdd6194) at main.c:817
>> (gdb) list
>> 5853        else if (printer)
>> 5854          cupsdLogMessage(CUPSD_LOG_DEBUG,
>> 5855                          "Added subscription %d for printer \"%s\"",
>> 5856                          sub->id, printer->name);
>> 5857        else
>> 5858          cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for server",
>> 5859                          sub->id);
>> 5860
>> 5861        sub->interval = interval;
>> 5862        sub->lease    = lease;
>> (gdb) print sub
>> $1 = (cupsd_subscription_t *) 0x0
>>
>> It would appear to be a NULL pointer dereference.  It seems that this call a
>> few lines above the snippet shown above:
>>  sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
>>
>> will return NULL when the hardcoded value of 100 subscriptions is hit.
> 
> Not really hardcoded -- it is settable with the 'MaxSubscriptions'
> directive.  I had just reproduced the bug with CUPS 1.3.9 at FreeBSD.
> MaxSubscriptions was set to 3 to ease the PoC.  Just repeated
> invocations of 'lpr -m <somefile>' were crashing cups daemon
> reproducibly.
> 
> The attached patch fixes the things for me, but perhaps it needs
> some more polishing.  Will try to take a fresh look at this tomorrow.
> 
> Mike, please, take a look at this!

You'll find a much more complete patch already in CUPS svn for both
1.3.x and 1.4.x, along with a new subscription test for the
"make check" target.  I didn't withhold the patch since the browser
attack vector was closed in 1.3.8...

I've attached my 1.3.x patch...

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com

View attachment "cups-1.3-max-subscriptions.patch" of type "text/plain" (5341 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ