[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] local and remote compromises in cups
- To: linux-security
- Subject: [linux-security] local and remote compromises in cups
- From: Martin Siegert <siegert@sfu.ca>
- Date: Mon, 20 Jan 2003 17:14:23 -0800
- User-Agent: Mutt/1.4i
Topic
=====
several vulnerabilities in cups can lead to local or even remote root
compromise
Problem Description
===================
The Common UNIX Printing System (CUPS) provides a portable printing
layer. A number of vulnerabilities have been discovered in CUPS.
An integer overflow in the HTTP interface can be used to gain remote
access with CUPS privilege. A local file race condition can be used
to gain root privilege, although the previous bug must be exploited
first. An attacker can remotely add printers to the vulnerable
system. A remote DoS can be accomplished due to negative length
in the memcpy() call. An integer overflow in image handling code
can be used to gain higher privilege. An attacker can gain local
root privilege due to a buffer overflow of the 'options' buffer.
A design problem can be exploited to gain local root access,
however this needs an added printer (which can also be done, as
per a previously noted bug). Wrong handling of zero-width images
can be abused to gain higher privilege. Finally, a file descriptor
leak and DoS due to missing checks of return values of file/socket
operations.
Affected Versions
================
cups versions prior to 1.1.18
Solution
========
upgrade to version 1.1.18 (or patched version for your distribution)
RedHat 7.3
----------
rpm -Fvh cups-1.1.14-15.2.i386.rpm \
cups-devel-1.1.14-15.2.i386.rpm \
cups-libs-1.1.14-15.2.i386.rpm
RedHat 8.0
----------
rpm -Fvh cups-1.1.17-0.2.i386.rpm \
cups-devel-1.1.17-0.2.i386.rpm \
cups-libs-1.1.17-0.2.i386.rpm
Mandrake 7.2, 8.0, 8.1
----------------------
rpm -Fvh cups-1.1.18-1.4mdk.i586.rpm \
cups-devel-1.1.18-1.4mdk.i586.rpm \
cups-serial-1.1.18-1.4mdk.i586.rpm \
printer-testpages-1.1.18-1.4mdk.i586.rpm
Mandrake 8.2, 9.0
-----------------
rpm -Fvh cups-1.1.18-1.1mdk.i586.rpm \
cups-common-1.1.18-1.1mdk.i586.rpm \
cups-serial-1.1.18-1.1mdk.i586.rpm \
libcups1-1.1.18-1.1mdk.i586.rpm \
libcups1-devel-1.1.18-1.1mdk.i586.rpm
SuSE-7.1
--------
rpm -Fvh cups-1.1.6-121.i386.rpm
SuSE-7.2
--------
rpm -Fvh cups-1.1.6-122.i386.rpm
SuSE-7.3
--------
rpm -Fvh cups-1.1.10-94.i386.rpm \
cups-libs-1.1.10-94.i386.rpm \
cups-client-1.1.10-94.i386.rpm
SuSE-8.0
--------
rpm -Fvh cups-1.1.12-90.i386.rpm \
cups-libs-1.1.12-90.i386.rpm \
cups-client-1.1.12-90.i386.rpm
SuSE-8.1
--------
rpm -Fvh cups-1.1.15-69.i386.rpm \
cups-libs-1.1.15-69.i386.rpm \
cups-client-1.1.15-69.i386.rpm
Debian 2.2 (potato)
-------------------
upgrade to cupsys_1.0.4-12.1_i386.deb,
cupsys-bsd_1.0.4-12.1_i386.deb,
libcupsys1_1.0.4-12.1_i386.deb,
libcupsys1-dev_1.0.4-12.1_i386.deb
Debian 3.0 (woody)
------------------
upgrade to cupsys_1.1.14-4.3_i386.deb,
cupsys-bsd_1.1.14-4.3_i386.deb,
cupsys-client_1.1.14-4.3_i386.deb,
cupsys-pstoraster_1.1.14-4.3_i386.deb,
libcupsys2_1.1.14-4.3_i386.deb,
libcupsys2-dev_1.1.14-4.3_i386.deb