[gentoo-announce] [ GLSA 200712-14 ] CUPS: Multiple vulnerabilities - gentoo-announce

From:	Robert Buchholz <rbu@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200712-14 ] CUPS: Multiple vulnerabilities
Date:	Tue, 18 Dec 2007 22:43:24
Message-Id:	`200712182326.42368.rbu@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200712-14

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: CUPS: Multiple vulnerabilities

9

      Date: December 18, 2007

10

      Bugs: #199195, #201042, #201570

11

        ID: 200712-14

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been discovered in CUPS, allowing for the

19

remote execution of arbitrary code and a Denial of Service.

20

21

Background

22

==========

23

24

CUPS provides a portable printing layer for UNIX-based operating

25

systems. The alternate pdftops filter is a CUPS filter used to convert

26

PDF files to the Postscript format via Poppler; the filter is installed

27

by default in Gentoo Linux.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package         /  Vulnerable  /                       Unaffected

34

    -------------------------------------------------------------------

35

  1  net-print/cups       < 1.3.5                        *>= 1.2.12-r4

36

                                                              >= 1.3.5

37

38

Description

39

===========

40

41

Wei Wang (McAfee AVERT Research) discovered an integer underflow in the

42

asn1_get_string() function of the SNMP backend, leading to a

43

stack-based buffer overflow when handling SNMP responses

44

(CVE-2007-5849). Elias Pipping (Gentoo) discovered that the alternate

45

pdftops filter creates temporary files with predictable file names when

46

reading from standard input (CVE-2007-6358). Furthermore, the

47

resolution of a Denial of Service vulnerability covered in GLSA

48

200703-28 introduced another Denial of Service vulnerability within SSL

49

handling (CVE-2007-4045).

50

51

Impact

52

======

53

54

A remote attacker on the local network could exploit the first

55

vulnerability to execute arbitrary code with elevated privileges by

56

sending specially crafted SNMP messages as a response to an SNMP

57

broadcast request. A local attacker could exploit the second

58

vulnerability to overwrite arbitrary files with the privileges of the

59

user running the CUPS spooler (usually lp) by using symlink attacks. A

60

remote attacker could cause a Denial of Service condition via the third

61

vulnerability when SSL is enabled in CUPS.

62

63

Workaround

64

==========

65

66

To disable SNMP support in CUPS, you have have to manually delete the

67

file "/usr/libexec/cups/backend/snmp". Please note that the file is

68

reinstalled if you merge CUPS again later. To disable the pdftops

69

filter, delete all lines referencing "pdftops" in CUPS' "mime.convs"

70

configuration file. To work around the third vulnerability, disable SSL

71

support via the corresponding USE flag.

72

73

Resolution

74

==========

75

76

All CUPS users should upgrade to the latest version:

77

78

    # emerge --sync

79

    # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r4"

80

81

References

82

==========

83

84

  [ 1 ] CVE-2007-4045

85

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4045

86

  [ 2 ] CVE-2007-5849

87

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5849

88

  [ 3 ] CVE-2007-6358

89

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6358

90

  [ 4 ] GLSA 200703-28

91

        http://www.gentoo.org/security/en/glsa/glsa-200703-28.xml

92

93

Availability

94

============

95

96

This GLSA and any updates to it are available for viewing at

97

the Gentoo Security Website:

98

99

  http://security.gentoo.org/glsa/glsa-200712-14.xml

100

101

Concerns?

102

=========

103

104

Security is a primary focus of Gentoo Linux and ensuring the

105

confidentiality and security of our users machines is of utmost

106

importance to us. Any security concerns should be addressed to

107

security@g.o or alternatively, you may file a bug at

108

http://bugs.gentoo.org.

109

110

License

111

=======

112

113

Copyright 2007 Gentoo Foundation, Inc; referenced text

114

belongs to its owner(s).

115

116

The contents of this document are licensed under the

117

Creative Commons - Attribution / Share Alike license.

118

119

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200712-14
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: CUPS: Multiple vulnerabilities
9	Date: December 18, 2007
10	Bugs: #199195, #201042, #201570
11	ID: 200712-14
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been discovered in CUPS, allowing for the
19	remote execution of arbitrary code and a Denial of Service.
20
21	Background
22	==========
23
24	CUPS provides a portable printing layer for UNIX-based operating
25	systems. The alternate pdftops filter is a CUPS filter used to convert
26	PDF files to the Postscript format via Poppler; the filter is installed
27	by default in Gentoo Linux.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 net-print/cups < 1.3.5 *>= 1.2.12-r4
36	>= 1.3.5
37
38	Description
39	===========
40
41	Wei Wang (McAfee AVERT Research) discovered an integer underflow in the
42	asn1_get_string() function of the SNMP backend, leading to a
43	stack-based buffer overflow when handling SNMP responses
44	(CVE-2007-5849). Elias Pipping (Gentoo) discovered that the alternate
45	pdftops filter creates temporary files with predictable file names when
46	reading from standard input (CVE-2007-6358). Furthermore, the
47	resolution of a Denial of Service vulnerability covered in GLSA
48	200703-28 introduced another Denial of Service vulnerability within SSL
49	handling (CVE-2007-4045).
50
51	Impact
52	======
53
54	A remote attacker on the local network could exploit the first
55	vulnerability to execute arbitrary code with elevated privileges by
56	sending specially crafted SNMP messages as a response to an SNMP
57	broadcast request. A local attacker could exploit the second
58	vulnerability to overwrite arbitrary files with the privileges of the
59	user running the CUPS spooler (usually lp) by using symlink attacks. A
60	remote attacker could cause a Denial of Service condition via the third
61	vulnerability when SSL is enabled in CUPS.
62
63	Workaround
64	==========
65
66	To disable SNMP support in CUPS, you have have to manually delete the
67	file "/usr/libexec/cups/backend/snmp". Please note that the file is
68	reinstalled if you merge CUPS again later. To disable the pdftops
69	filter, delete all lines referencing "pdftops" in CUPS' "mime.convs"
70	configuration file. To work around the third vulnerability, disable SSL
71	support via the corresponding USE flag.
72
73	Resolution
74	==========
75
76	All CUPS users should upgrade to the latest version:
77
78	# emerge --sync
79	# emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r4"
80
81	References
82	==========
83
84	[ 1 ] CVE-2007-4045
85	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4045
86	[ 2 ] CVE-2007-5849
87	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5849
88	[ 3 ] CVE-2007-6358
89	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6358
90	[ 4 ] GLSA 200703-28
91	http://www.gentoo.org/security/en/glsa/glsa-200703-28.xml
92
93	Availability
94	============
95
96	This GLSA and any updates to it are available for viewing at
97	the Gentoo Security Website:
98
99	http://security.gentoo.org/glsa/glsa-200712-14.xml
100
101	Concerns?
102	=========
103
104	Security is a primary focus of Gentoo Linux and ensuring the
105	confidentiality and security of our users machines is of utmost
106	importance to us. Any security concerns should be addressed to
107	security@g.o or alternatively, you may file a bug at
108	http://bugs.gentoo.org.
109
110	License
111	=======
112
113	Copyright 2007 Gentoo Foundation, Inc; referenced text
114	belongs to its owner(s).
115
116	The contents of this document are licensed under the
117	Creative Commons - Attribution / Share Alike license.
118
119	http://creativecommons.org/licenses/by-sa/2.5