-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : cups SUMMARY : Several vulnerabilities DATE : 2003-07-22 16:08:00 ID : CLA-2003:702 RELEVANT RELEASES : 7.0, 8, 9 - ------------------------------------------------------------------------- DESCRIPTION Cups[1] (Common UNIX Printing System) is an open-source, freely available and cross-platform printing solution for UNIX environments. iDefense published[2][3] some time ago several vulnerabilities in Cups researched by zen-parse which are being addressed now. Additionally, a new denial of service vulnerability[12] was discovered by Phil D'Amore of Red Hat and is also being fixed. The vulnerabilities outlined below affect only Conectiva Linux 7.0 and 8 (CL9 is not affected): 1. pdftops integer overflow (CAN-2002-1384)[3][4] The pdftops filter used in Cups contains an integer overflow which can be exploited to run arbitrary commands with the privileges of the target user. 2. Multiple integer overflows (CAN-2002-1383)[5] There are several integer overflows in Cups which can be exploited via the http interface and via carefully created images which get handled by Cups. These vulnerabilities can be exploited to run arbitrary code. 3. Race condition (CAN-2002-1366)[6] A race condition exists in the creation of /etc/cups/certs/<pid>. This allows a local attacker to create or overwrite any file as root as long as he/she already has 'lp' privileges (which could be obtained via one of the previous vulnerabilities, for example). 4. Arbitrary printer creation and Root Certificate Design Flaw (CAN-2002-1367)[7] Remote users can add arbitrary printers to Cups by sending a specially crafted UDP packet. Attackers can use this to add printers with tainted names that, when clicked on in the web administration page, could be used to exploit other vulnerabilities. 5. Negative Length Memcpy() Calls (CAN-2002-1368)[8] Negative length memcpy() calls in the code which handles chunked transfer encodings and content length in the http interface could be used by remote attackers to cause a denial of service condition and possibly execute arbitrary code. 6. Unsafe Strncat Function Call in jobs.c (CAN-2002-1369)[9] There is a buffer overflow vulnerability in the code used to handle job options which, in conjuntion with other vulnerabilities, could be used to obtain root privileges. 7. Zero Width Images in filters/image-gif.c (CAN-2002-1371)[10] Cups does not properly check for zero-length GIF images, which allows remote attackers to execute arbitrary code. 8. File Descriptor Resource Leaks (CAN-2002-1372)[11] Cups does not properly check the return values of various file and socket operations, which could allow a remote attacker to cause a denial of service condition by causing file descriptors to be assigned and not released. The vulnerability below affects Conectiva Linux 7.0, 8 and 9: 9. Denial of service vulnerability (CAN-2003-0195)[12] Phil D'Amore discovered that by sending a partial printing request to the IPP port, remote attackers can cause a denial of service condition, since the request does not time out. Simple commands such as "lpq" stop working as long as the attacker holds the connection with the partial printing request open. Additionally, two other fixes which are not security related have been included in Conectiva Linux 7.0 and 8: 1. Reconnect problem with some HP jetdirect printers; 2. Octetstream has been enabled by default, which allows some printing jobs to be submitted such as those by Windows XP via samba. SOLUTION It is recommended that all cups users upgrade their packages. IMPORTANT: after the upgrade, it is necessary to restart the cups service if it was already running. To do so, execute the following command as root: /sbin/service cups restart UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/cups-1.1.14-1U70_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cups-1.1.14-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cups-devel-1.1.14-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cups-devel-static-1.1.14-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cups-doc-1.1.14-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cups-libs-1.1.14-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/cups-1.1.14-2U80_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/cups-1.1.14-2U80_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/cups-devel-1.1.14-2U80_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/cups-devel-static-1.1.14-2U80_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/cups-doc-1.1.14-2U80_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/cups-libs-1.1.14-2U80_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/cups-1.1.18-29091U90_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/cups-1.1.18-29091U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/cups-devel-1.1.18-29091U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/cups-devel-static-1.1.18-29091U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/cups-doc-1.1.18-29091U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/cups-libs-1.1.18-29091U90_1cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribeat_private unsubscribe: conectiva-updates-unsubscribeat_private -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/HYwc42jd0JmAcZARAtiUAKDplssuctl81JeOczaInYu9G8OVqwCgz2Um 50JG8ogfPb/GNqRa5Je7OJo= =ar/E -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 13:33:03 PDT