Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 14 Jun 2023 18:53:40 +0200
From: Till Kamppeter <till.kamppeter@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-34095: cpdb-libs: Buffer overflows via scanf

Following bug got reported to OpenPrinting's GitHub, repo cpdb-libs, as 
a private (security) issue report, which is now published:

https://github.com/OpenPrinting/cpdb-libs/security/advisories/GHSA-25j7-9gfc-f46x


Summary

There's multiple instances of buffer overflows in this package via 
improper use of scanf(3).


Details

cpdb-libs/tools/cpdb-text-frontend.c


Line 362 in 85555fb

   else if (strcmp(buf, "print-file") == 0)

              char printer_id[BUFSIZE], backend_name[BUFSIZE], 
file_path[BUFSIZE];
              scanf("%s%s%s", file_path, printer_id, backend_name);

cpdb-libs/tools/cpdb-text-frontend.c


Line 453 in 85555fb

   else if (strcmp(buf, "get-all-translations") == 0)

              char printer_id[BUFSIZE];
              char backend_name[BUFSIZE];
              scanf("%s%s", printer_id, backend_name);

cpdb-libs/cpdb/cpdb-frontend.c


Line 372 in 85555fb

   PrintBackend *cpdbCreateBackendFromFile(GDBusConnection *connection,

      char obj_path[CPDB_BSIZE];
      /* ... */
      if ((file = fopen(path, "r")) == NULL)
      /* ... */
      if (fscanf(file, "%s", obj_path) == 0)


%s does not place bounds on the allowed input sizes.


All scanf() or fscanf() calls in the cpdb-libs package which take 
strings via %s format conversion directive read these strings into 
buffers of 1024 characters of length (BUFSIZE). So one can easily 
replace all occurences of %s by %1023s (accept a maximum of 1023 
characters to leave space for terminating zero byte) in all lines 
containing scanf or fscanf, easily automated by running four times the 
command

perl -p -i -e 's/(scanf\(.*?".*?)%s/\1%1023s/' cpdb/cpdb-frontend.c 
tools/cpdb-text-frontend.c

and checking with

grep scanf */*.c


Quick test/reproducer:

Run

cpdb-text-frontend

and enter a command line (no valid command required, only arbitrary 
characters) of more than 1024 characters. without the fix you will get a 
segfault, with the fix no segfault and the overlength of the input gets 
truncated.

To test the fix in the libraries (not in cpdb-text-backend) you would 
need to create a file named /tmp/org.openprinting.Backend.CUPS with its 
first line having more than 1024 characters. Then run

CPDB_DEBUG_LOGFILE=log.txt CPDB_DEBUG_LEVEL=debug 
CPDB_BACKEND_INFO_DIR=/tmp cpdb-text-frontend

With the original libcpdb-frontend.so.2.0.0 you will get a segmentation 
fault, with the fix you will reach the command prompt of the text 
frontend (but without printer list).


The report got assigned CVE-2023-34095


The fix is committed to the GIT repository of cpdb-libs:

https://github.com/OpenPrinting/cpdb-libs/commit/f181bd1f1


Package maintainers/security teams of the operating system 
distributions, please apply the fix by then.

The fix will be included in the upcoming releases.

    Till

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.