Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 25 Apr 2014 15:24:15 -0500
From: Jamie Strandboge <>
Subject: Re: Re: cups-browsed remote exploit

On 04/02/2014 03:18 PM, wrote:
>> For this it creates a filter-script
>> snprintf
>> "%s/filter/pdftoippprinter \"$1\" \"$2\" \"$3\" \"$4\" \"$5 $extra_options\"\n",
>> p->name, pdl, make_model, cups_serverbin);
>> its easy to inject code to the script e.g. via model name or pdl key
>> which is taken from the LAN packets.
> Use CVE-2014-2707.

This issue was reported as fixed in 1.0.51:

but it was found that the fix was incomplete with the full fix in 1.0.53:

Should this get a second CVE or should we continue to use CVE-2014-2707?

Furthermore, another security issue was also fixed in 1.0.53:

- cups-browsed: SECURITY FIX: Fix on usage of the
  "BrowseAllow" directive in cups-browsed.conf. Before, if the
  argument of a "BrowseAllow" directive is not understood it
  is treated as the directive not having been there, allowing
  any host if this was the only "BrowseAllow" directive. Now
  we treat this as a directive which no host can fulfill, not
  allowing any host if it was the only one. No "BrowseAllow"
  directive means access for all, as before (Bug #1204).

I believe this should receive a CVE.



Jamie Strandboge       

Download attachment "signature.asc" of type "application/pgp-signature" (885 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ