oss-sec mailing list archives
Re: CVE request: CUPS DoS via RSS subscriptions
From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Thu, 20 Nov 2008 11:41:28 +0300
Michael, good day. Wed, Nov 19, 2008 at 05:54:49PM -0800, Michael Sweet wrote:
Eygene Ryabinkin wrote:The attached patch fixes the things for me, but perhaps it needs some more polishing. Will try to take a fresh look at this tomorrow. Mike, please, take a look at this!You'll find a much more complete patch already in CUPS svn for both 1.3.x and 1.4.x, along with a new subscription test for the "make check" target. I didn't withhold the patch since the browser attack vector was closed in 1.3.8... I've attached my 1.3.x patch...
Thanks! Just a quick question: the check in add_job_subscriptions() is catching non-NULL result of cupsdAddSubscription, but for the failed subscription is does not inform user about this. The code in create_subscription() returns error. Is it intentional? Client gets nothing (at least 'lpr -m file.txt' outputs no error), but subscription is silently dropped. -- Eygene
Current thread:
- Re: CVE request: CUPS DoS via RSS subscriptions, (continued)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 21)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Jan Lieskovsky (Nov 25)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Eygene Ryabinkin (Nov 25)
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Nov 25)
- Message not available
- Message not available
- Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] Tomas Hoger (Dec 03)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Steven M. Christey (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael Sweet (Nov 19)
- Re: CVE request: CUPS DoS via RSS subscriptions Eygene Ryabinkin (Nov 20)
- Re: CVE request: CUPS DoS via RSS subscriptions Michael R Sweet (Nov 20)