Date: Thu, 20 Nov 2008 03:36:00 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference Message-ID: <20081120003600.6DB2F1AF41B@void.codelabs.ru> Resent-Message-ID: <200811200040.mAK0e1RC030132@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129001 >Category: ports >Synopsis: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 20 00:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: It was discovered [1] that CUPS up to 1.3.9 has code path that will dereference NULL pointer and it is trivially reproducible when user hits the subscription limit, for example via repeated commands 'lpr -m <somefile>'. [1] http://www.openwall.com/lists/oss-security/2008/11/19/4/ and the rest of the thread. >How-To-Repeat: Set 'MaxSubscriptions' in the cupsd.conf to some small value and invoke 'lpr -m <somefile>' multiple times. You'll see that after some attempt server will be unreachable due to its crash. Default value of 100 for MaxSubscription does not prevent the DoS, because many big files could be feeded to CUPS daemon. >Fix: There is no official fix yet -- I had just informed CUPS developer and posted the simple patch to the oss-security mailing list. Here is the patch that will introduce checks for the values returned by cupsdAddSubscription() and bump port version: --- 1.3.9-to-1.3.9_1-fix-null-deference.patch begins here --- diff -urN ./Makefile ../cups-base/Makefile --- ./Makefile 2008-11-20 02:48:10.000000000 +0300 +++ ../cups-base/Makefile 2008-11-20 03:07:03.000000000 +0300 @@ -7,6 +7,7 @@ PORTNAME= cups PORTVERSION= 1.3.9 +PORTREVISION= 1 DISTVERSIONSUFFIX= -source CATEGORIES= print MASTER_SITES= EASYSW/${PORTNAME}/${DISTVERSION} diff -urN ./files/patch-fix-subscriptions-null-dereference ../cups-base/files/patch-fix-subscriptions-null-dereference --- ./files/patch-fix-subscriptions-null-dereference 1970-01-01 03:00:00.000000000 +0300 +++ ../cups-base/files/patch-fix-subscriptions-null-dereference 2008-11-20 03:11:26.000000000 +0300 @@ -0,0 +1,48 @@ +--- scheduler/subscriptions.c.orig 2008-11-20 02:57:17.000000000 +0300 ++++ scheduler/subscriptions.c 2008-11-20 03:02:06.000000000 +0300 +@@ -728,6 +728,13 @@ + { + sub = cupsdAddSubscription(CUPSD_EVENT_NONE, NULL, NULL, NULL, + atoi(value)); ++ if (!sub) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, ++ "Unable to add new subscription. Was parsing line %d of subscriptions.conf.", ++ linenum); ++ break; ++ } + } + else + { +--- scheduler/ipp.c.orig 2008-11-20 02:55:59.000000000 +0300 ++++ scheduler/ipp.c 2008-11-20 02:56:03.000000000 +0300 +@@ -2121,6 +2121,14 @@ + + sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient, + 0); ++ if (!sub) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, ++ "Failed to create subscription for job %d", job->id); ++ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS, ++ _("Unable to add new subscription")); ++ return; ++ } + + sub->interval = interval; + +@@ -5591,6 +5599,14 @@ + job = NULL; + + sub = cupsdAddSubscription(mask, printer, job, recipient, 0); ++ if (!sub) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, ++ "Failed to create subscription for job %d", job->id); ++ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS, ++ _("Unable to add new subscription")); ++ return; ++ } + + if (job) + cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d", --- 1.3.9-to-1.3.9_1-fix-null-deference.patch ends here --- The preliminary VuXML entry follows: --- vuln.xml begins here --- <vuln vid="unknown"> <topic>cups -- Denial of Service by authenticated client</topic> <affects> <package> <name>cups-base</name> <range><lt>1.3.9_1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Josh Bressers discovered that CUPS daemon can be crashed via trivial NULL-pointer dereference:</p> <blockquote cite="http://www.openwall.com/lists/oss-security/2008/11/19/4/">; <p>The upstream fix could still obviously let a local authenticated user crash the server.</p> </blockquote> </body> </description> <references> <mlist>http://www.openwall.com/lists/oss-security/2008/11/19/4/</mlist>; </references> <dates> <discovery>2008-11-19</discovery> </dates> </vuln> --- vuln.xml ends here --- Please, note that this vulnerability was already disclosed in the oss-security mailing list, so there is no much sense in hiding this discussion. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081120003600.6DB2F1AF41B>