Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 20 Nov 2008 11:41:28 +0300
From: Eygene Ryabinkin <rea-sec@...elabs.ru>
To: Michael Sweet <mike@...ysw.com>
Cc: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...re.org>
Subject: Re: CVE request: CUPS DoS via RSS subscriptions

Michael, good day.

Wed, Nov 19, 2008 at 05:54:49PM -0800, Michael Sweet wrote:
> Eygene Ryabinkin wrote:
> > The attached patch fixes the things for me, but perhaps it needs
> > some more polishing.  Will try to take a fresh look at this tomorrow.
> > 
> > Mike, please, take a look at this!
> 
> You'll find a much more complete patch already in CUPS svn for both
> 1.3.x and 1.4.x, along with a new subscription test for the
> "make check" target.  I didn't withhold the patch since the browser
> attack vector was closed in 1.3.8...
> 
> I've attached my 1.3.x patch...

Thanks!  Just a quick question: the check in add_job_subscriptions() is
catching non-NULL result of cupsdAddSubscription, but for the failed
subscription is does not inform user about this.  The code in
create_subscription() returns error.  Is it intentional?  Client gets
nothing (at least 'lpr -m file.txt' outputs no error), but subscription
is silently dropped.
-- 
Eygene

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux