Date: Fri, 25 Apr 2014 15:24:15 -0500 From: Jamie Strandboge <jamie@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: Re: cups-browsed remote exploit On 04/02/2014 03:18 PM, cve-assign@...re.org wrote: >> For this it creates a filter-script > >> snprintf > >> "%s/filter/pdftoippprinter \"$1\" \"$2\" \"$3\" \"$4\" \"$5 $extra_options\"\n", >> p->name, pdl, make_model, cups_serverbin); > >> its easy to inject code to the script e.g. via model name or pdl key >> which is taken from the LAN packets. > > Use CVE-2014-2707. > This issue was reported as fixed in 1.0.51: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188 but it was found that the fix was incomplete with the full fix in 1.0.53: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194 Should this get a second CVE or should we continue to use CVE-2014-2707? Furthermore, another security issue was also fixed in 1.0.53: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7195 " - cups-browsed: SECURITY FIX: Fix on usage of the "BrowseAllow" directive in cups-browsed.conf. Before, if the argument of a "BrowseAllow" directive is not understood it is treated as the directive not having been there, allowing any host if this was the only "BrowseAllow" directive. Now we treat this as a directive which no host can fulfill, not allowing any host if it was the only one. No "BrowseAllow" directive means access for all, as before (Bug #1204). " I believe this should receive a CVE. Thanks References: https://bugzilla.novell.com/show_bug.cgi?id=871327 https://bugs.linuxfoundation.org/show_bug.cgi?id=1204 -- Jamie Strandboge http://www.ubuntu.com/ Download attachment "signature.asc" of type "application/pgp-signature" (885 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ