oss-sec mailing list archives
Re: cups-browsed remote exploit
From: cve-assign () mitre org
Date: Thu, 19 Jun 2014 13:08:52 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The vulnerability that remains in cups-filters 1.0.51 (in the generate_local_queue function, the input sanitization also needs to be used for the host variable, but wasn't used for that) is assigned CVE-2014-4336. This is fixed in cups-filters 1.0.53. This is the vulnerability that exists because of an incomplete fix for CVE-2014-2707. The second vulnerability addressed in cups-filters 1.0.53 (OOB accesses in the process_browse_data function when reading the packet variable, leading to a crash after a remote attack) is assigned CVE-2014-4337. For the third vulnerability addressed in cups-filters 1.0.53:
- cups-browsed: SECURITY FIX: Fix on usage of the "BrowseAllow" directive in cups-browsed.conf. Before, if the argument of a "BrowseAllow" directive is not understood it is treated as the directive not having been there, allowing any host if this was the only "BrowseAllow" directive. Now we treat this as a directive which no host can fulfill, not allowing any host if it was the only one.
the vendor is announcing it as a security fix, so it is assigned CVE-2014-4338. It also seems likely that the previous behavior was actually an implementation error. (Apparently, this only allows attacks against systems for which the administrator created a malformed configuration file. A vendor could instead choose to have an explicit security policy that the product's behavior is undefined in the case of a malformed configuration file.) Two additional notes:
This issue was reported as fixed in 1.0.51: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188
The code fix itself seems to be http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7189 instead. Also, https://bugzilla.novell.com/show_bug.cgi?id=871327 mentions CVE-2014-2707, but the attachment in 871327 is apparently only the CVE-2014-4336 and CVE-2014-4337 patch, not the CVE-2014-2707 patch. However, 871327 isn't directly trying to define what CVE-2014-2707 means, so this can be considered a minor anomaly. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJToxitAAoJEKllVAevmvmsR4IH/0XLDQd6TouMqkwHjj86tv8D mn3CVcZovqZRQIWBRYj4OlH5sgPyzTGrHR1KVw7FLfe81T3Qwj6eMptZD7qXXbRP ABkTEf+N2HP/7BAh46kCZhpgSvS7QSa9UX41thh1WmBSBSd2cdL2wvdcmkaeapVZ Ip2nT21w/ou1B3yS8NYlVwiAXWj84GclNTbLY31bKVSTd3KSKDKsHa4kCkfEGAlG 4VKGioh4Y1aiBOxnYjerAxBg+nL3Vhq+mH21hTTfPifpg6vKBmtqVMuXuOVQ60Kb uE7MT8HA+SPGSE+84s7fjUVvx95M0j+MQHUEr/Y+QLM2j6qj96/xy1BED6ZxkwA= =1ezq -----END PGP SIGNATURE-----
Current thread:
- cups-browsed remote exploit Sebastian Krahmer (Apr 01)
- Re: cups-browsed remote exploit cve-assign (Apr 02)
- Re: Re: cups-browsed remote exploit Jamie Strandboge (Apr 25)
- Re: Re: cups-browsed remote exploit Tomas Hoger (Jun 19)
- Re: cups-browsed remote exploit cve-assign (Jun 19)
- Re: Re: cups-browsed remote exploit Jamie Strandboge (Apr 25)
- Re: cups-browsed remote exploit cve-assign (Apr 02)