Bug 64369 (CVE-2004-1267)

Summary: VUL-0: CVE-2004-1267: CUPS hpgltops ParseCommand overflows
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1267: CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: 21.hpgl.gz
21.hpgl

Description Ludwig Nussel 2004-12-17 20:17:36 UTC 
We received the following report.
The issue is public.

The mentioned attachment was not included as we didn't receive the
original mail but as upstream apparently was notified they may have
it.

From djb@cr.yp.to Wed Dec 15 14:21:33 2004
Date: 15 Dec 2004 08:20:11 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, cups@easysw.com
Subject: [remote] [control] CUPS 1.1.22 hpgltops ParseCommand overflows buf

Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in CUPS. I'm publishing
this notice, but all the discovery credits should be assigned to
Berkman.

A CUPS installation is at risk whenever it prints an HPGL file obtained
from email (or a web page or any other source that could be controlled
by an attacker). You are at risk if you print data through a CUPS
installation at risk. The source of the HPGL file has complete control
over the CUPS ``lp'' account; in particular, he can read and modify the
files you are printing.

Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type

   cd /usr/ports/print/cups
   make install

to download and compile the CUPS package, version 1.1.22 (current).
Then, as any user, save the file 21.hpgl.gz attached to this message,
and type

   gunzip 21.hpgl
   /usr/local/libexec/cups/filter/hpgltops \
   15 $USER test-title 1 none 21.hpgl > 21.ps

with the unauthorized result that a file named x is removed from the
current directory. (I tested this with a 541-byte environment, as
reported by printenv | wc -c.)

Here's the bug: In hpgl-input.c, ParseCommand() reads any number of
bytes into a 262144-byte buf[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

    [ Part 2, Application/X-GUNZIP  692bytes. ]
    [ Unable to print this part. ]
Comment 1 Marcus Meissner 2004-12-20 16:49:58 UTC 
Created attachment 27213 [details]
21.hpgl.gz
Comment 2 Marcus Meissner 2004-12-20 16:51:12 UTC 
reduce sev to normal. 
 
can be delayed to after xmas vacation to be handled by Klaus.
Comment 3 Marcus Meissner 2004-12-21 22:43:37 UTC 
======================================================                           
Candidate: CAN-2004-1267                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1267                 
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/cups.txt                    
                                                                                 
Buffer overflow in the ParseCommand function in hpgl-input.c in the              
hpgltops program for CUPS 1.1.22 allows remote attackers to execute              
arbitrary code via a crafted HPGL file.
Comment 4 Klaus Singvogel 2005-01-20 22:46:15 UTC 
Fixed in: 8.1 (UL1, NLD, SLES8), 8.2, 9.0, 9.1, 9.2 
and submitted. 
 
Not much tested. 
 
security-team please handle rest of process ==> reassign
Comment 5 Thomas Biege 2005-01-21 20:33:33 UTC 
`patchinfo-box.cups' -> `/work/src/done/PATCHINFO/patchinfo-box.cups' 
`patchinfo-9.2.cups' -> `/work/src/done/PATCHINFO/patchinfo-9.2.cups' 
`patchinfo.cups' -> `/work/src/done/PATCHINFO/patchinfo.cups'
Comment 6 Marcus Meissner 2005-01-26 20:54:16 UTC 
Created attachment 27927 [details]
21.hpgl

this file crashes the filter on sles9-ppc too
Comment 7 Thomas Biege 2005-02-01 19:48:51 UTC 
packages approved
Comment 8 Thomas Biege 2009-10-13 20:07:12 UTC 
CVE-2004-1267: CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)