[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: cups-browsed remote exploit
From: Jamie Strandboge <jamie () canonical ! com>
Date: 2014-04-25 20:24:15
Message-ID: 535AC46F.3060502 () canonical ! com
[Download RAW message or body]
On 04/02/2014 03:18 PM, cve-assign@mitre.org wrote:
>> For this it creates a filter-script
>
>> snprintf
>
>> "%s/filter/pdftoippprinter \"$1\" \"$2\" \"$3\" \"$4\" \"$5 $extra_options\"\n",
>> p->name, pdl, make_model, cups_serverbin);
>
>> its easy to inject code to the script e.g. via model name or pdl key
>> which is taken from the LAN packets.
>
> Use CVE-2014-2707.
>
This issue was reported as fixed in 1.0.51:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188
but it was found that the fix was incomplete with the full fix in 1.0.53:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194
Should this get a second CVE or should we continue to use CVE-2014-2707?
Furthermore, another security issue was also fixed in 1.0.53:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7195
"
- cups-browsed: SECURITY FIX: Fix on usage of the
"BrowseAllow" directive in cups-browsed.conf. Before, if the
argument of a "BrowseAllow" directive is not understood it
is treated as the directive not having been there, allowing
any host if this was the only "BrowseAllow" directive. Now
we treat this as a directive which no host can fulfill, not
allowing any host if it was the only one. No "BrowseAllow"
directive means access for all, as before (Bug #1204).
"
I believe this should receive a CVE.
Thanks
References:
https://bugzilla.novell.com/show_bug.cgi?id=871327
https://bugs.linuxfoundation.org/show_bug.cgi?id=1204
--
Jamie Strandboge http://www.ubuntu.com/
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic