Date: Thu, 20 Nov 2008 11:58:25 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Cc: dinoex@freebsd.org, freebsd-security@freebsd.org Subject: Re: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference Message-ID: <XSQkSIG2M/T2rfwmgGIHs0VxRhc@8JJ32SOFyZN%2BjilTN00X028LjFM> In-Reply-To: <20081120003600.6DB2F1AF41B@void.codelabs.ru> References: <20081120003600.6DB2F1AF41B@void.codelabs.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Me again. Thu, Nov 20, 2008 at 03:36:00AM +0300, Eygene Ryabinkin wrote: > It was discovered [1] that CUPS up to 1.3.9 has code path that will > dereference NULL pointer and it is trivially reproducible when user hits > the subscription limit, for example via repeated commands 'lpr -m > <somefile>'. >=20 > [1] http://www.openwall.com/lists/oss-security/2008/11/19/4/ and > the rest of the thread. Michael Sweet provided more complete patch [2] that is already in the 1.3.x Subversion repository. [2] http://www.openwall.com/lists/oss-security/2008/11/20/2 Had tested the patch -- it works too. Attaching modified port patch and reworked VuXML entry. --- 1.3.9-to-1.3.9_1-fix-null-deference-upstream.patch begins here --- diff -urN ./Makefile ../cups-base/Makefile --- ./Makefile 2008-11-20 02:48:10.000000000 +0300 +++ ../cups-base/Makefile 2008-11-20 03:07:03.000000000 +0300 @@ -7,6 +7,7 @@ =20 PORTNAME=3D cups PORTVERSION=3D 1.3.9 +PORTREVISION=3D 1 DISTVERSIONSUFFIX=3D -source CATEGORIES=3D print MASTER_SITES=3D EASYSW/${PORTNAME}/${DISTVERSION} diff -urN ./files/patch-fix-subscriptions-null-dereference ../cups-base/fil= es/patch-fix-subscriptions-null-dereference --- ./files/patch-fix-subscriptions-null-dereference 1970-01-01 03:00:00.00= 0000000 +0300 +++ ../cups-base/files/patch-fix-subscriptions-null-dereference 2008-11-20 = 11:33:59.000000000 +0300 @@ -0,0 +1,179 @@ +Obtained from: Michael Sweet, via oss-security list, + http://www.openwall.com/lists/oss-security/2008/11/20/2 + +Index: test/run-stp-tests.sh +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- test/run-stp-tests.sh (revision 8145) ++++ test/run-stp-tests.sh (revision 8146) +@@ -307,6 +307,7 @@ + DocumentRoot $root/doc + RequestRoot /tmp/cups-$user/spool + TempDir /tmp/cups-$user/spool/temp ++MaxSubscriptions 3 + MaxLogSize 0 + AccessLog /tmp/cups-$user/log/access_log + ErrorLog /tmp/cups-$user/log/error_log +Index: test/4.4-subscription-ops.test +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- test/4.4-subscription-ops.test (revision 8145) ++++ test/4.4-subscription-ops.test (revision 8146) +@@ -116,7 +116,33 @@ + EXPECT notify-events + DISPLAY notify-events + } ++{ ++ # The name of the test... ++ NAME "Check MaxSubscriptions limits" +=20 ++ # The operation to use ++ OPERATION Create-Printer-Subscription ++ RESOURCE / ++ ++ # The attributes to send ++ GROUP operation ++ ATTR charset attributes-charset utf-8 ++ ATTR language attributes-natural-language en ++ ATTR uri printer-uri $method://$hostname:$port/printers/Test1 ++ ++ GROUP subscription ++ ATTR uri notify-recipient-uri testnotify:// ++ ATTR keyword notify-events printer-state-changed ++ ATTR integer notify-lease-duration 5 ++ ++ # What statuses are OK? ++ STATUS client-error-too-many-subscriptions ++ ++ # What attributes do we expect? ++ EXPECT attributes-charset ++ EXPECT attributes-natural-language ++} ++ + # + # End of "$Id$" + # +Index: scheduler/subscriptions.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- scheduler/subscriptions.c (revision 8145) ++++ scheduler/subscriptions.c (revision 8146) +@@ -341,9 +341,55 @@ + * Limit the number of subscriptions... + */ +=20 +- if (cupsArrayCount(Subscriptions) >=3D MaxSubscriptions) ++ if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >=3D MaxSubsc= riptions) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptions %d", ++ MaxSubscriptions); + return (NULL); ++ } +=20 ++ if (MaxSubscriptionsPerJob > 0 && job) ++ { ++ int count; /* Number of job subscriptions */ ++ ++ for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count =3D 0; ++ temp; ++ temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->job =3D=3D job) ++ count ++; ++ ++ if (count >=3D MaxSubscriptionsPerJob) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d " ++ "for job #%d", MaxSubscriptionsPerJob, job->id); ++ return (NULL); ++ } ++ } ++ ++ if (MaxSubscriptionsPerPrinter > 0 && dest) ++ { ++ int count; /* Number of printer subscriptions */ ++ ++ for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count =3D 0; ++ temp; ++ temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->dest =3D=3D dest) ++ count ++; ++ ++ if (count >=3D MaxSubscriptionsPerPrinter) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached " ++ "MaxSubscriptionsPerPrinter %d for %s", ++ MaxSubscriptionsPerPrinter, dest->name); ++ return (NULL); ++ } ++ } ++ + /* + * Allocate memory for this subscription... + */ +@@ -758,7 +804,6 @@ + cupsdLogMessage(CUPSD_LOG_ERROR, + "Syntax error on line %d of subscriptions.conf.", + linenum); +- break; + } + else if (!strcasecmp(line, "Events")) + { +Index: scheduler/ipp.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- scheduler/ipp.c (revision 8145) ++++ scheduler/ipp.c (revision 8146) +@@ -2119,24 +2119,25 @@ + if (mask =3D=3D CUPSD_EVENT_NONE) + mask =3D CUPSD_EVENT_JOB_COMPLETED; +=20 +- sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, rec= ipient, +- 0); ++ if ((sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, ++ recipient, 0)) !=3D NULL) ++ { ++ sub->interval =3D interval; +=20 +- sub->interval =3D interval; ++ cupsdSetString(&sub->owner, job->username); +=20 +- cupsdSetString(&sub->owner, job->username); ++ if (user_data) ++ { ++ sub->user_data_len =3D user_data->values[0].unknown.length; ++ memcpy(sub->user_data, user_data->values[0].unknown.data, ++ sub->user_data_len); ++ } +=20 +- if (user_data) +- { +- sub->user_data_len =3D user_data->values[0].unknown.length; +- memcpy(sub->user_data, user_data->values[0].unknown.data, +- sub->user_data_len); ++ ippAddSeparator(con->response); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, ++ "notify-subscription-id", sub->id); + } +=20 +- ippAddSeparator(con->response); +- ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, +- "notify-subscription-id", sub->id); +- + if (attr) + attr =3D attr->next; + } +@@ -5590,7 +5591,12 @@ + else + job =3D NULL; +=20 +- sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0); ++ if ((sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0)) = =3D=3D NULL) ++ { ++ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS, ++ _("There are too many subscriptions.")); ++ return; ++ } +=20 + if (job) + cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d", --- 1.3.9-to-1.3.9_1-fix-null-deference-upstream.patch ends here --- --- vuln.xml begins here --- <vuln vid=3D"unknown"> <topic>cups scheduler -- Denial of Service by authorized client</topic> <affects> <package> <name>cups-base</name> <range><lt>1.3.9_1</lt></range> </package> </affects> <description> <body xmlns=3D"http://www.w3.org/1999/xhtml">; <p>ChangeLog for CUPS 1.3.10 says:</p> <blockquote cite=3D"http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.tx= t"> <p>The scheduler would crash if you exceeded the MaxSubscriptions limit.</p> </blockquote> </body> </description> <references> <url>http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt</url>; <mlist>http://www.openwall.com/lists/oss-security/2008/11/19/4/</mlis= t> </references> <dates> <discovery>2008-11-19</discovery> </dates> </vuln> --- vuln.xml ends here --- --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkklJrEACgkQthUKNsbL7YivfwCfW8aGtLdJgzEbABU9n6tg72+o wj4AoIIBOJczQhYJajVsdsCpuHSTcd+u =sN47 -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XSQkSIG2M/T2rfwmgGIHs0VxRhc>