Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Fri, 21 Nov 2008 08:20:00 +0300
From: Eygene Ryabinkin <rea-sec@...elabs.ru>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...re.org>, mike@...ysw.com
Subject: Re: CVE request: CUPS DoS via RSS subscriptions

Steve, good day.

Thu, Nov 20, 2008 at 07:41:06PM -0500, Steven M. Christey wrote:
> I treated this as two CVEs, one for the CSRF-simplifying attack, and a
> separate one for the CUPS server crash (assuming that cupsd should not be
> crashable by non-root authenticated users).

Please note that as it was discuissed in thread started with
  http://www.openwall.com/lists/oss-security/2008/11/19/4
even 1.3.9 is crashable by non-root authenticated users by adding
a big number of subscriptions (don't know about RSS ones, though
subscription for mailing upon job completion does its job).  But
I imagine that CVE-2008-5184 can't be used for 1.3.9, so remote
attack is not feasible.

I expect that the fix will go into 1.3.10:
  http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt

Adding Michael Sweet to the CC, since he can shed a bit more light on
this matter.  Perhaps CVE-2008-5183 should be extended or another CVE
can be created.
-- 
Eygene

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux