From owner-freebsd-security@FreeBSD.ORG Thu Nov 20 08:58:29 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 073471065673; Thu, 20 Nov 2008 08:58:29 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 5DF568FC22; Thu, 20 Nov 2008 08:58:28 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=eqaeNoil7nouZVGMuJl/fTufDt6SU/3MK4M85SNOgfl2DO3l8QjtoodTchk8SeRmU+xI4tna/IjK8fSVItzPS5kTvSskU/uGeE/5+pthNtWZIQ2WQWJFBKwNwNzfj++63bVlwBAUH8tnHDUcchmpKcWO132CNdJ34uI6qnlUzk8=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L35Mo-000EoC-Uq; Thu, 20 Nov 2008 11:58:27 +0300 Date: Thu, 20 Nov 2008 11:58:25 +0300 From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org Message-ID: References: <20081120003600.6DB2F1AF41B@void.codelabs.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline In-Reply-To: <20081120003600.6DB2F1AF41B@void.codelabs.ru> Sender: rea-fbsd@codelabs.ru Cc: dinoex@freebsd.org, freebsd-security@freebsd.org Subject: Re: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 08:58:29 -0000 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Me again. Thu, Nov 20, 2008 at 03:36:00AM +0300, Eygene Ryabinkin wrote: > It was discovered [1] that CUPS up to 1.3.9 has code path that will > dereference NULL pointer and it is trivially reproducible when user hits > the subscription limit, for example via repeated commands 'lpr -m > '. >=20 > [1] http://www.openwall.com/lists/oss-security/2008/11/19/4/ and > the rest of the thread. Michael Sweet provided more complete patch [2] that is already in the 1.3.x Subversion repository. [2] http://www.openwall.com/lists/oss-security/2008/11/20/2 Had tested the patch -- it works too. Attaching modified port patch and reworked VuXML entry. --- 1.3.9-to-1.3.9_1-fix-null-deference-upstream.patch begins here --- diff -urN ./Makefile ../cups-base/Makefile --- ./Makefile 2008-11-20 02:48:10.000000000 +0300 +++ ../cups-base/Makefile 2008-11-20 03:07:03.000000000 +0300 @@ -7,6 +7,7 @@ =20 PORTNAME=3D cups PORTVERSION=3D 1.3.9 +PORTREVISION=3D 1 DISTVERSIONSUFFIX=3D -source CATEGORIES=3D print MASTER_SITES=3D EASYSW/${PORTNAME}/${DISTVERSION} diff -urN ./files/patch-fix-subscriptions-null-dereference ../cups-base/fil= es/patch-fix-subscriptions-null-dereference --- ./files/patch-fix-subscriptions-null-dereference 1970-01-01 03:00:00.00= 0000000 +0300 +++ ../cups-base/files/patch-fix-subscriptions-null-dereference 2008-11-20 = 11:33:59.000000000 +0300 @@ -0,0 +1,179 @@ +Obtained from: Michael Sweet, via oss-security list, + http://www.openwall.com/lists/oss-security/2008/11/20/2 + +Index: test/run-stp-tests.sh +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- test/run-stp-tests.sh (revision 8145) ++++ test/run-stp-tests.sh (revision 8146) +@@ -307,6 +307,7 @@ + DocumentRoot $root/doc + RequestRoot /tmp/cups-$user/spool + TempDir /tmp/cups-$user/spool/temp ++MaxSubscriptions 3 + MaxLogSize 0 + AccessLog /tmp/cups-$user/log/access_log + ErrorLog /tmp/cups-$user/log/error_log +Index: test/4.4-subscription-ops.test +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- test/4.4-subscription-ops.test (revision 8145) ++++ test/4.4-subscription-ops.test (revision 8146) +@@ -116,7 +116,33 @@ + EXPECT notify-events + DISPLAY notify-events + } ++{ ++ # The name of the test... ++ NAME "Check MaxSubscriptions limits" +=20 ++ # The operation to use ++ OPERATION Create-Printer-Subscription ++ RESOURCE / ++ ++ # The attributes to send ++ GROUP operation ++ ATTR charset attributes-charset utf-8 ++ ATTR language attributes-natural-language en ++ ATTR uri printer-uri $method://$hostname:$port/printers/Test1 ++ ++ GROUP subscription ++ ATTR uri notify-recipient-uri testnotify:// ++ ATTR keyword notify-events printer-state-changed ++ ATTR integer notify-lease-duration 5 ++ ++ # What statuses are OK? ++ STATUS client-error-too-many-subscriptions ++ ++ # What attributes do we expect? ++ EXPECT attributes-charset ++ EXPECT attributes-natural-language ++} ++ + # + # End of "$Id$" + # +Index: scheduler/subscriptions.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- scheduler/subscriptions.c (revision 8145) ++++ scheduler/subscriptions.c (revision 8146) +@@ -341,9 +341,55 @@ + * Limit the number of subscriptions... + */ +=20 +- if (cupsArrayCount(Subscriptions) >=3D MaxSubscriptions) ++ if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >=3D MaxSubsc= riptions) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptions %d", ++ MaxSubscriptions); + return (NULL); ++ } +=20 ++ if (MaxSubscriptionsPerJob > 0 && job) ++ { ++ int count; /* Number of job subscriptions */ ++ ++ for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count =3D 0; ++ temp; ++ temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->job =3D=3D job) ++ count ++; ++ ++ if (count >=3D MaxSubscriptionsPerJob) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d " ++ "for job #%d", MaxSubscriptionsPerJob, job->id); ++ return (NULL); ++ } ++ } ++ ++ if (MaxSubscriptionsPerPrinter > 0 && dest) ++ { ++ int count; /* Number of printer subscriptions */ ++ ++ for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count =3D 0; ++ temp; ++ temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->dest =3D=3D dest) ++ count ++; ++ ++ if (count >=3D MaxSubscriptionsPerPrinter) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached " ++ "MaxSubscriptionsPerPrinter %d for %s", ++ MaxSubscriptionsPerPrinter, dest->name); ++ return (NULL); ++ } ++ } ++ + /* + * Allocate memory for this subscription... + */ +@@ -758,7 +804,6 @@ + cupsdLogMessage(CUPSD_LOG_ERROR, + "Syntax error on line %d of subscriptions.conf.", + linenum); +- break; + } + else if (!strcasecmp(line, "Events")) + { +Index: scheduler/ipp.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- scheduler/ipp.c (revision 8145) ++++ scheduler/ipp.c (revision 8146) +@@ -2119,24 +2119,25 @@ + if (mask =3D=3D CUPSD_EVENT_NONE) + mask =3D CUPSD_EVENT_JOB_COMPLETED; +=20 +- sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, rec= ipient, +- 0); ++ if ((sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, ++ recipient, 0)) !=3D NULL) ++ { ++ sub->interval =3D interval; +=20 +- sub->interval =3D interval; ++ cupsdSetString(&sub->owner, job->username); +=20 +- cupsdSetString(&sub->owner, job->username); ++ if (user_data) ++ { ++ sub->user_data_len =3D user_data->values[0].unknown.length; ++ memcpy(sub->user_data, user_data->values[0].unknown.data, ++ sub->user_data_len); ++ } +=20 +- if (user_data) +- { +- sub->user_data_len =3D user_data->values[0].unknown.length; +- memcpy(sub->user_data, user_data->values[0].unknown.data, +- sub->user_data_len); ++ ippAddSeparator(con->response); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, ++ "notify-subscription-id", sub->id); + } +=20 +- ippAddSeparator(con->response); +- ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, +- "notify-subscription-id", sub->id); +- + if (attr) + attr =3D attr->next; + } +@@ -5590,7 +5591,12 @@ + else + job =3D NULL; +=20 +- sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0); ++ if ((sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0)) = =3D=3D NULL) ++ { ++ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS, ++ _("There are too many subscriptions.")); ++ return; ++ } +=20 + if (job) + cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d", --- 1.3.9-to-1.3.9_1-fix-null-deference-upstream.patch ends here --- --- vuln.xml begins here --- cups scheduler -- Denial of Service by authorized client cups-base 1.3.9_1

ChangeLog for CUPS 1.3.10 says:

The scheduler would crash if you exceeded the MaxSubscriptions limit.

http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt http://www.openwall.com/lists/oss-security/2008/11/19/4/ 2008-11-19 --- vuln.xml ends here --- --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkklJrEACgkQthUKNsbL7YivfwCfW8aGtLdJgzEbABU9n6tg72+o wj4AoIIBOJczQhYJajVsdsCpuHSTcd+u =sN47 -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--