[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-34095: cpdb-libs: Buffer overflows via scanf
From: Till Kamppeter <till.kamppeter () gmail ! com>
Date: 2023-06-14 16:53:40
Message-ID: b20ad75f-a368-b528-f471-aa3065483581 () gmail ! com
[Download RAW message or body]
Following bug got reported to OpenPrinting's GitHub, repo cpdb-libs, as
a private (security) issue report, which is now published:
https://github.com/OpenPrinting/cpdb-libs/security/advisories/GHSA-25j7-9gfc-f46x
Summary
There's multiple instances of buffer overflows in this package via
improper use of scanf(3).
Details
cpdb-libs/tools/cpdb-text-frontend.c
Line 362 in 85555fb
else if (strcmp(buf, "print-file") == 0)
char printer_id[BUFSIZE], backend_name[BUFSIZE],
file_path[BUFSIZE];
scanf("%s%s%s", file_path, printer_id, backend_name);
cpdb-libs/tools/cpdb-text-frontend.c
Line 453 in 85555fb
else if (strcmp(buf, "get-all-translations") == 0)
char printer_id[BUFSIZE];
char backend_name[BUFSIZE];
scanf("%s%s", printer_id, backend_name);
cpdb-libs/cpdb/cpdb-frontend.c
Line 372 in 85555fb
PrintBackend *cpdbCreateBackendFromFile(GDBusConnection *connection,
char obj_path[CPDB_BSIZE];
/* ... */
if ((file = fopen(path, "r")) == NULL)
/* ... */
if (fscanf(file, "%s", obj_path) == 0)
%s does not place bounds on the allowed input sizes.
All scanf() or fscanf() calls in the cpdb-libs package which take
strings via %s format conversion directive read these strings into
buffers of 1024 characters of length (BUFSIZE). So one can easily
replace all occurences of %s by %1023s (accept a maximum of 1023
characters to leave space for terminating zero byte) in all lines
containing scanf or fscanf, easily automated by running four times the
command
perl -p -i -e 's/(scanf\(.*?".*?)%s/\1%1023s/' cpdb/cpdb-frontend.c
tools/cpdb-text-frontend.c
and checking with
grep scanf */*.c
Quick test/reproducer:
Run
cpdb-text-frontend
and enter a command line (no valid command required, only arbitrary
characters) of more than 1024 characters. without the fix you will get a
segfault, with the fix no segfault and the overlength of the input gets
truncated.
To test the fix in the libraries (not in cpdb-text-backend) you would
need to create a file named /tmp/org.openprinting.Backend.CUPS with its
first line having more than 1024 characters. Then run
CPDB_DEBUG_LOGFILE=log.txt CPDB_DEBUG_LEVEL=debug
CPDB_BACKEND_INFO_DIR=/tmp cpdb-text-frontend
With the original libcpdb-frontend.so.2.0.0 you will get a segmentation
fault, with the fix you will reach the command prompt of the text
frontend (but without printer list).
The report got assigned CVE-2023-34095
The fix is committed to the GIT repository of cpdb-libs:
https://github.com/OpenPrinting/cpdb-libs/commit/f181bd1f1
Package maintainers/security teams of the operating system
distributions, please apply the fix by then.
The fix will be included in the upcoming releases.
Till
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic