Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 14 Jun 2023 18:53:40 +0200
From: Till Kamppeter <>
Subject: CVE-2023-34095: cpdb-libs: Buffer overflows via scanf

Following bug got reported to OpenPrinting's GitHub, repo cpdb-libs, as 
a private (security) issue report, which is now published:


There's multiple instances of buffer overflows in this package via 
improper use of scanf(3).



Line 362 in 85555fb

   else if (strcmp(buf, "print-file") == 0)

              char printer_id[BUFSIZE], backend_name[BUFSIZE], 
              scanf("%s%s%s", file_path, printer_id, backend_name);


Line 453 in 85555fb

   else if (strcmp(buf, "get-all-translations") == 0)

              char printer_id[BUFSIZE];
              char backend_name[BUFSIZE];
              scanf("%s%s", printer_id, backend_name);


Line 372 in 85555fb

   PrintBackend *cpdbCreateBackendFromFile(GDBusConnection *connection,

      char obj_path[CPDB_BSIZE];
      /* ... */
      if ((file = fopen(path, "r")) == NULL)
      /* ... */
      if (fscanf(file, "%s", obj_path) == 0)

%s does not place bounds on the allowed input sizes.

All scanf() or fscanf() calls in the cpdb-libs package which take 
strings via %s format conversion directive read these strings into 
buffers of 1024 characters of length (BUFSIZE). So one can easily 
replace all occurences of %s by %1023s (accept a maximum of 1023 
characters to leave space for terminating zero byte) in all lines 
containing scanf or fscanf, easily automated by running four times the 

perl -p -i -e 's/(scanf\(.*?".*?)%s/\1%1023s/' cpdb/cpdb-frontend.c 

and checking with

grep scanf */*.c

Quick test/reproducer:



and enter a command line (no valid command required, only arbitrary 
characters) of more than 1024 characters. without the fix you will get a 
segfault, with the fix no segfault and the overlength of the input gets 

To test the fix in the libraries (not in cpdb-text-backend) you would 
need to create a file named /tmp/org.openprinting.Backend.CUPS with its 
first line having more than 1024 characters. Then run

CPDB_BACKEND_INFO_DIR=/tmp cpdb-text-frontend

With the original you will get a segmentation 
fault, with the fix you will reach the command prompt of the text 
frontend (but without printer list).

The report got assigned CVE-2023-34095

The fix is committed to the GIT repository of cpdb-libs:

Package maintainers/security teams of the operating system 
distributions, please apply the fix by then.

The fix will be included in the upcoming releases.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.