Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Aug 2015 19:55:32 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Cc: security@...ntu.com
Subject: CVE Request: ippusbxd

Hello MITRE, all,

Please assign a CVE for ippusbxd. I discovered a flaw that accidentally
allows access to a connected USB printer via all configured network
addresses, rather than only TCP loopback addresses, by misusing the
in6addr_any bind address.

The original bug report is at
https://bugs.launchpad.net/ubuntu/+source/ippusbxd/+bug/1455644
(though most of the contents aren't related).

The flaw can be found at
https://github.com/tillkamppeter/ippusbxd/blob/ea6005943e2669cbf492fa441d9dce02a4bc2471/src/tcp.c#L51

Comments in the source code and documentation indicate that access was
intended only for localhost:
https://github.com/tillkamppeter/ippusbxd/blob/ea6005943e2669cbf492fa441d9dce02a4bc2471/doc/ippusbxd.1#L17

Till Kamppeter has provided the following patches to address the issue:
https://github.com/tillkamppeter/ippusbxd/commit/46844402bca7a38fc224483ba6f0a93c4613203f
https://github.com/tillkamppeter/ippusbxd/commit/a632841f8e65d402e13e81921515f5a1e2736c82

The first patch switches to using two sockets and binds them explicitly
to the IPv6 and the IPv4 loopback addresses; the second patch simplifies
the use of select(). Both patches are recommended. A new upstream release
will be made soon to incorporate this fix.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ