[LWN Logo]
[Timeline]
Date:         Tue, 20 Jun 2000 13:20:02 -0500
From: Jeff Licquia <jeff@LUCI.ORG>
Subject:      CUPS DoS Bugs
To: BUGTRAQ@SECURITYFOCUS.COM

--ZPt4rx8FFjLCG7dd
Content-Type: text/plain; charset=us-ascii

A Debian user (thanks, Alexander Hvostov!) reported a DoS bug in
Debian's CUPS packages (cupsys).  After working with the vendor on the
issue, they subsequently discovered a few more.  The original bug, at
least, is remotely exploitable.  The beta versions of CUPS 1.1 are not
vulnurable, at least since beta 3.

A patch is available from Easy Software Products at:

  ftp://ftp.easysw.com/pub/cups/1.0.5

Debian 2.1 ("slink") is unaffected, as it does not include the cupsys
packages.  Debian 2.2 ("potato") and Debian unstable ("woody") are
affected.  The fixed packages are version 1.0.4-7; they will be
installed as part of the next Test Cycle for potato.  They are also
available (for i386) at:

  http://www.debian.org/~licquia/cupsys_1.0.4-7_i386.deb
  http://www.debian.org/~licquia/cupsys-bsd_1.0.4-7_i386.deb
  http://www.debian.org/~licquia/libcupsys1_1.0.4-7_i386.deb
  http://www.debian.org/~licquia/libcupsys1-dev_1.0.4-7_i386.deb

For other architectures (or if you prefer building from source), here
is the patch to build the packages:

  http://www.debian.org/~licquia/cupsys_1.0.4-7.diff.gz

My thanks to the original reporter of the bug, Alexander Hvostov, for
his patience, and to Easy Software Products and Michael Sweet for
being both responsive and responsible.

Here is the blurb from the top of the vendor patch file:
-----

CUPS 1.0.5 Denial of Service Patch Set #1 - 06/16/2000
------------------------------------------------------ 

This patch file fixes potential Denial-of-Service bugs in CUPS 1.0.5.
These fixes are also part of CUPS 1.1b3 and beyond.

Specific DoS fixes:  

    - Malformed IPP requests could crash cupsd.
    - Standard CGI form POSTs could crash cupsd.
    - The cupsd program did not always delete request files when
      needed.
    - Authenticating with a non-existent user or a user with
      no shadow password could crash cupsd.

This patch set also includes:

    - cupsSystem() didn't close the cupsd.conf file.
    - The texttops filter made underlines that were too
      thick.
    - The lpstat command didn't show a device for remote
      printers, and would stop the listing prematurely.
    - The lpstat command didn't show printers after the
      first printer with an active job.
    - Remote raw IPP printing didn't pass the raw option
      properly.

Please report any problems with this patch to "cups-support@cups.org".


--ZPt4rx8FFjLCG7dd
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQCVAwUBOU+10eDWAq2XSF2FAQFVoAP+L3mcOPEdnCtjk7F7TuFmKTlR2hHNwJ5m
clVr/GyEt0/NdlTg7SB9SHbtccbJ1KpA2ik6ofYtMx/CdTyP0sRlgXeaB7jp4kv3
4Tr5O3C8OWikkFI+q0Y/x7Jx0XAPy+MNSlYRQJLnBfC0QcLbjKKgLzIBdYi673MW
rqfBKJmM+2M=s5Ax
-----END PGP SIGNATURE-----

--ZPt4rx8FFjLCG7dd--