From owner-freebsd-ports-bugs@FreeBSD.ORG  Thu Nov 20 00:40:02 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2F3E61065673;
	Thu, 20 Nov 2008 00:40:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 0D5FA8FC17;
	Thu, 20 Nov 2008 00:40:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAK0e1W9030133;
	Thu, 20 Nov 2008 00:40:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAK0e1RC030132;
	Thu, 20 Nov 2008 00:40:01 GMT (envelope-from gnats)
Resent-Date: Thu, 20 Nov 2008 00:40:01 GMT
Resent-Message-Id: <200811200040.mAK0e1RC030132@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Cc: freebsd-security@freebsd.org, dinoex@freebsd.org
Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org,
	Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CC3B31065672
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 20 Nov 2008 00:36:01 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 82C1D8FC13
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 20 Nov 2008 00:36:01 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1L2xWa-00023g-Jb for FreeBSD-gnats-submit@freebsd.org;
	Thu, 20 Nov 2008 03:36:00 +0300
Message-Id: <20081120003600.6DB2F1AF41B@void.codelabs.ru>
Date: Thu, 20 Nov 2008 03:36:00 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
X-GNATS-Notify: freebsd-security@freebsd.org, dinoex@freebsd.org
Cc: 
Subject: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer
	dereference
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2008 00:40:02 -0000


>Number:         129001
>Category:       ports
>Synopsis:       [vuxml] [patch] print/cups-base: fix NULL-pointer dereference
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 20 00:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE i386
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE i386

>Description:

It was discovered [1] that CUPS up to 1.3.9 has code path that will
dereference NULL pointer and it is trivially reproducible when user hits
the subscription limit, for example via repeated commands 'lpr -m
<somefile>'.

[1] http://www.openwall.com/lists/oss-security/2008/11/19/4/ and
    the rest of the thread.

>How-To-Repeat:

Set 'MaxSubscriptions' in the cupsd.conf to some small value and invoke
'lpr -m <somefile>' multiple times.  You'll see that after some attempt
server will be unreachable due to its crash.  Default value of 100 for
MaxSubscription does not prevent the DoS, because many big files could
be feeded to CUPS daemon.

>Fix:

There is no official fix yet -- I had just informed CUPS developer and
posted the simple patch to the oss-security mailing list.  Here is the
patch that will introduce checks for the values returned by
cupsdAddSubscription() and bump port version:

--- 1.3.9-to-1.3.9_1-fix-null-deference.patch begins here ---
diff -urN ./Makefile ../cups-base/Makefile
--- ./Makefile	2008-11-20 02:48:10.000000000 +0300
+++ ../cups-base/Makefile	2008-11-20 03:07:03.000000000 +0300
@@ -7,6 +7,7 @@
 
 PORTNAME=	cups
 PORTVERSION=	1.3.9
+PORTREVISION=	1
 DISTVERSIONSUFFIX=	-source
 CATEGORIES=	print
 MASTER_SITES=	EASYSW/${PORTNAME}/${DISTVERSION}
diff -urN ./files/patch-fix-subscriptions-null-dereference ../cups-base/files/patch-fix-subscriptions-null-dereference
--- ./files/patch-fix-subscriptions-null-dereference	1970-01-01 03:00:00.000000000 +0300
+++ ../cups-base/files/patch-fix-subscriptions-null-dereference	2008-11-20 03:11:26.000000000 +0300
@@ -0,0 +1,48 @@
+--- scheduler/subscriptions.c.orig	2008-11-20 02:57:17.000000000 +0300
++++ scheduler/subscriptions.c	2008-11-20 03:02:06.000000000 +0300
+@@ -728,6 +728,13 @@
+       {
+         sub = cupsdAddSubscription(CUPSD_EVENT_NONE, NULL, NULL, NULL,
+ 	                           atoi(value));
++	if (!sub)
++	{
++          cupsdLogMessage(CUPSD_LOG_ERROR,
++	                  "Unable to add new subscription.  Was parsing line %d of subscriptions.conf.",
++	                  linenum);
++          break;
++	}
+       }
+       else
+       {
+--- scheduler/ipp.c.orig	2008-11-20 02:55:59.000000000 +0300
++++ scheduler/ipp.c	2008-11-20 02:56:03.000000000 +0300
+@@ -2121,6 +2121,14 @@
+ 
+     sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient,
+                                0);
++    if (!sub)
++    {
++      cupsdLogMessage(CUPSD_LOG_ERROR,
++		      "Failed to create subscription for job %d", job->id);
++      send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
++                      _("Unable to add new subscription"));
++      return;
++    }
+ 
+     sub->interval = interval;
+ 
+@@ -5591,6 +5599,14 @@
+       job = NULL;
+ 
+     sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
++    if (!sub)
++    {
++      cupsdLogMessage(CUPSD_LOG_ERROR,
++		      "Failed to create subscription for job %d", job->id);
++      send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
++                      _("Unable to add new subscription"));
++      return;
++    }
+ 
+     if (job)
+       cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d",
--- 1.3.9-to-1.3.9_1-fix-null-deference.patch ends here ---

The preliminary VuXML entry follows:
--- vuln.xml begins here ---
  <vuln vid="unknown">
    <topic>cups -- Denial of Service by authenticated client</topic>
    <affects>
      <package>
	<name>cups-base</name>
	<range><lt>1.3.9_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Josh Bressers discovered that CUPS daemon can be crashed
	via trivial NULL-pointer dereference:</p>
	<blockquote cite="http://www.openwall.com/lists/oss-security/2008/11/19/4/">
	<p>The upstream fix could still obviously let a local
	authenticated user crash the server.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <mlist>http://www.openwall.com/lists/oss-security/2008/11/19/4/</mlist>
    </references>
    <dates>
      <discovery>2008-11-19</discovery>
    </dates>
  </vuln>
--- vuln.xml ends here ---

Please, note that this vulnerability was already disclosed in the
oss-security mailing list, so there is no much sense in hiding this
discussion.
>Release-Note:
>Audit-Trail:
>Unformatted: