From e5f3dcd98829b3d13be3f4a4c222a98c865c38c9 Mon Sep 17 00:00:00 2001 From: "Simon L. B. Nielsen" Date: Sun, 16 Jan 2005 23:15:54 +0000 Subject: [PATCH] Document two vulnerabilities in CUPS. Heads up by: Hilko Meyer --- security/vuxml/vuln.xml | 80 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 5ccf773d3a67..2158c36f68a2 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -32,6 +32,86 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --> + + cups-lpr -- lppasswd multiple vulnerabilities + + + cups-lpr + fr-cups-lpr + 1.1.23 + + + + +

D. J. Bernstein reports that Bartlomiej Sieka has + discovered several security vulnerabilities in lppasswd, + which is part of CUPS:

+
+

First, lppasswd blithely ignores write errors in + fputs(line,outfile) at lines 311 and 315 of lppasswd.c, + and in fprintf(...) at line 346. An attacker who fills up + the disk at the right moment can arrange for + /usr/local/etc/cups/passwd to be truncated.

+

Second, if lppasswd bumps into a file-size resource limit + while writing passwd.new, it leaves passwd.new in place, + disabling all subsequent invocations of lppasswd. Any + local user can thus disable lppasswd...

+

Third, line 306 of lppasswd.c prints an error message to + stderr but does not exit. This is not a problem on systems + that ensure that file descriptors 0, 1, and 2 are open for + setuid programs, but it is a problem on other systems; + lppasswd does not check that passwd.new is different from + stderr, so it ends up writing a user-controlled error + message to passwd if the user closes file descriptor + 2.

+
+ +
+ + CAN-2004-1268 + CAN-2004-1269 + CAN-2004-1270 + 12007 + 12004 + http://www.cups.org/str.php?L1023 + http://tigger.uic.edu/~jlongs2/holes/cups2.txt + + + 2004-12-11 + 2005-01-17 + +
+ + + cups-base -- HPGL buffer overflow vulnerability + + + cups-base + fr-cups-base + 1.1.23 + + + + +

Ariel Berkman has discovered a buffer overflow + vulnerability in CUPS's HPGL input driver. This + vulnerability could be exploited to execute arbitrary code + with the permission of the CUPS server by printing a + specially crated HPGL file.

+ +
+ + 11968 + CAN-2004-1267 + http://tigger.uic.edu/~jlongs2/holes/cups.txt + http://www.cups.org/str.php?L1024 + + + 2004-12-15 + 2005-01-17 + +
+ mysql-scripts -- mysqlaccess insecure temporary file creation