Re: cups-browsed remote exploit

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The vulnerability that remains in cups-filters 1.0.51 (in the
generate_local_queue function, the input sanitization also needs to be
used for the host variable, but wasn't used for that) is assigned
CVE-2014-4336. This is fixed in cups-filters 1.0.53. This is the
vulnerability that exists because of an incomplete fix for
CVE-2014-2707.

The second vulnerability addressed in cups-filters 1.0.53 (OOB
accesses in the process_browse_data function when reading the packet
variable, leading to a crash after a remote attack) is assigned
CVE-2014-4337.

For the third vulnerability addressed in cups-filters 1.0.53:

> - cups-browsed: SECURITY FIX: Fix on usage of the
>   "BrowseAllow" directive in cups-browsed.conf. Before, if the
>   argument of a "BrowseAllow" directive is not understood it
>   is treated as the directive not having been there, allowing
>   any host if this was the only "BrowseAllow" directive. Now
>   we treat this as a directive which no host can fulfill, not
>   allowing any host if it was the only one.

the vendor is announcing it as a security fix, so it is assigned
CVE-2014-4338. It also seems likely that the previous behavior was
actually an implementation error. (Apparently, this only allows
attacks against systems for which the administrator created a
malformed configuration file. A vendor could instead choose to have an
explicit security policy that the product's behavior is undefined in
the case of a malformed configuration file.)

Two additional notes:

> This issue was reported as fixed in 1.0.51:
> http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188

The code fix itself seems to be

  http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7189

instead. Also, https://bugzilla.novell.com/show_bug.cgi?id=871327
mentions CVE-2014-2707, but the attachment in 871327 is apparently
only the CVE-2014-4336 and CVE-2014-4337 patch, not the CVE-2014-2707
patch. However, 871327 isn't directly trying to define what
CVE-2014-2707 means, so this can be considered a minor anomaly.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJToxitAAoJEKllVAevmvmsR4IH/0XLDQd6TouMqkwHjj86tv8D
mn3CVcZovqZRQIWBRYj4OlH5sgPyzTGrHR1KVw7FLfe81T3Qwj6eMptZD7qXXbRP
ABkTEf+N2HP/7BAh46kCZhpgSvS7QSa9UX41thh1WmBSBSd2cdL2wvdcmkaeapVZ
Ip2nT21w/ou1B3yS8NYlVwiAXWj84GclNTbLY31bKVSTd3KSKDKsHa4kCkfEGAlG
4VKGioh4Y1aiBOxnYjerAxBg+nL3Vhq+mH21hTTfPifpg6vKBmtqVMuXuOVQ60Kb
uE7MT8HA+SPGSE+84s7fjUVvx95M0j+MQHUEr/Y+QLM2j6qj96/xy1BED6ZxkwA=
=1ezq
-----END PGP SIGNATURE-----