Date: Thu, 1 Jun 2023 12:35:16 +0200 From: Zdenek Dohnal <zdohnal@...hat.com> To: oss-security@...ts.openwall.com Subject: [vs] CVE-2023-32324 heap buffer overflow in cupsd Hi all, there is currently embargoed CVE-2023-32324 in cups project: Summary A heap buffer overflow vulnerability would allow a remote attacker to lauch a dos attack. Details A buffer overflow vulnerability in the function |format_log_line| could allow remote attackers to cause a denial-of-service(DoS) on the affected system (not verified for possible arbitrary code execution). The vulnerability affects the commit #c0c4037 and the latest commit #4310a07 on the GitHub master branch as well as the latest release version v2.4.2. I have only tested these versions so far. Exploitation of the vulnerability can be triggered when the configuration file |cupsd.conf| sets the value of |loglevel |to |DEBUG| if the log location is set to a file. Reproduce $ git clonehttps://github.com/OpenPrinting/cups.git $ cd cups $ CFLAGS="-g -fsanitize=address -fPIE" CXXFLAGS="-g -fsanitize=address -fPIE" LDFLAGS="-fsanitize=address" ./configure -with-tls=no --disable-shared # Now compile cups $ make -j # Adjust conf/cupsd.conf to reproduce the crash - enable debug logging to a file and set cupsd to listen on port 8631 $ sed -i 's,LogLevel warn,LogLevel debug,' conf/cupsd.conf $ sed -i 's,Listen localhost:631,Listen localhost:8631,' conf/cupsd.conf Run cups and replay the crash.raw |$ sudo ./scheduler/cupsd -c conf/cupsd.conf -f $ nc 127.0.0.1 8631 < ./crash.raw ||| cupsd crashes after the last command and generates the attached ASAN report. || || PoC crash.raw attached Impact Heap buffer overflow. *Patch* Committed as https://github.com/OpenPrinting/cups/commit/fd8bc2d32589d1fd91fe1c0521be2a7c0462109e For OpenPriniting CUPS community, Zdenek Dohnal (CUPS 2.4.x release manager) -- Zdenek Dohnal Senior Software Engineer Red Hat, BRQ-TPBC Content of type "text/html" skipped View attachment "0001-Consensus-fix.patch" of type "text/x-patch" (804 bytes) View attachment "asan_report.txt" of type "text/plain" (3254 bytes) Download attachment "crash.raw" of type "application/octet-stream" (37881 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.