Bug 64370 (CVE-2004-1270)

Summary: VUL-0: CVE-2004-1270: lppasswd might corrupt cups passwd file
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: heiko.rommel, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1270: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: 63.c

Description Ludwig Nussel 2004-12-17 20:19:03 UTC 
We received the following report.
The issue is public.

The mentioned attachment was not included as we didn't receive the
original mail but as upstream apparently was notified they may have
it.

From djb@cr.yp.to Wed Dec 15 14:23:07 2004
Date: 15 Dec 2004 08:30:45 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, cups@easysw.com
Subject: [local] [kill] CUPS 1.1.22 lppasswd ignores write errors, etc.

Bartlomiej Sieka, a student in my Fall 2004 UNIX Security Holes course,
has discovered several security problems in how lppasswd, version 1.1.22
(current), edits /usr/local/etc/cups/passwd. I'm publishing this notice,
but all the discovery credits should be assigned to Sieka.

First, lppasswd blithely ignores write errors in fputs(line,outfile) at
lines 311 and 315 of lppasswd.c, and in fprintf(...) at line 346. An
attacker who fills up the disk at the right moment can arrange for
/usr/local/etc/cups/passwd to be truncated.

Second, if lppasswd bumps into a file-size resource limit while writing
passwd.new, it leaves passwd.new in place, disabling all subsequent
invocations of lppasswd. Any local user can thus disable lppasswd by
running the attached program 63.c.

Third, line 306 of lppasswd.c prints an error message to stderr but
does not exit. This is not a problem on systems that ensure that file
descriptors 0, 1, and 2 are open for setuid programs, but it is a
problem on other systems; lppasswd does not check that passwd.new is
different from stderr, so it ends up writing a user-controlled error
message to passwd if the user closes file descriptor 2.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

    [ Part 2, Text/PLAIN  43 lines. ]
    [ Unable to print this part. ]
Comment 1 Marcus Meissner 2004-12-20 16:53:22 UTC 
Created attachment 27214 [details]
63.c
Comment 2 Marcus Meissner 2004-12-20 16:53:34 UTC 
can be handled after xmas break.
Comment 3 Marcus Meissner 2004-12-21 22:43:45 UTC 
======================================================                           
Candidate: CAN-2004-1268                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1268                 
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/cups2.txt                   
                                                                                 
lppasswd in CUPS 1.1.22 ignores write errors when modifying the CUPS             
passwd file, which allows local users to corrupt the file by filling             
the associated file system and triggering the write errors.
Comment 4 Marcus Meissner 2004-12-21 22:43:59 UTC 
======================================================                           
Candidate: CAN-2004-1269                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1269                 
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/cups2.txt                   
                                                                                 
lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it                
encounters a file-size resource limit while writing to passwd.new,               
which causes subsequent invocations of lppasswd to fail.
Comment 5 Marcus Meissner 2004-12-21 22:44:18 UTC 
======================================================                           
Candidate: CAN-2004-1270                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1270                 
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/cups2.txt                   
                                                                                 
lppasswd in CUPS 1.1.22, when run in environments that do not ensure             
that file descriptors 0, 1, and 2 are open when lppasswd is called,              
does not verify that the passwd.new file is different from STDERR,               
which allows local users to control output to passwd.new via certain             
user input that triggers an error message.
Comment 6 Klaus Singvogel 2005-01-20 22:47:25 UTC 
Fixed in: 8.1 (UL1, NLD, SLES8), 8.2, 9.0, 9.1 
Not affected: 9.2 
and new packages submitted.  
  
Not much tested.  
  
security-team please handle rest of update process ==> reassigning it
Comment 7 Thomas Biege 2005-01-21 20:33:13 UTC 
`patchinfo-box.cups' -> `/work/src/done/PATCHINFO/patchinfo-box.cups' 
`patchinfo-9.2.cups' -> `/work/src/done/PATCHINFO/patchinfo-9.2.cups' 
`patchinfo.cups' -> `/work/src/done/PATCHINFO/patchinfo.cups'
Comment 8 Marcus Meissner 2005-01-26 18:57:18 UTC 
as root 
lppasswd -a tux 
<enter password twice> 
 
as tux: 
./63 
<enter old password> 
<enter new password twice> 
 
ls -la /etc/cups/passwd.new  exists 
 
lppasswd 
<enter old password> 
<enter new password twice> 
lppasswd: Password file busy! 
 
The last message should not appear after the update, /etc/cups/passwd.new 
should not exist.
Comment 9 Marcus Meissner 2005-01-26 23:07:45 UTC 
the fix is broken. 
 
if no /etc/cups/passwd.* is there, lppasswd -a tux 
does not work. 
# lppasswd -a tux 
Enter password: 
Enter password again: 
lppasswd: failed to backup old password file: No such file or directory 
#
Comment 10 Klaus Singvogel 2005-01-27 18:43:20 UTC 
Cannot reproduce. :( 
 
# rm /etc/cups/passwd.* 
# lppasswd -a klaus 
Enter password:  
Enter password again: 
# ll /etc/cups/passwd.* 
4 -r--------  1 lp root 43 Jan 27 11:40 /etc/cups/passwd.md5 
 
I tried patches with a SuLi 9.2-i386 (hostname: lavoisier.suse.de) 
Whats your setup?
Comment 11 Marcus Meissner 2005-01-27 18:44:05 UTC 
happens for instance on sles9 , feel free to use  
sles9-ppc host "grape".
Comment 12 Klaus Singvogel 2005-01-27 21:19:49 UTC 
fixed problem and checked problem. 
submitted new packages. 
 
security-team please handle rest of update process ==> reassigning it.
Comment 13 Marcus Meissner 2005-01-27 21:49:32 UTC 
already submitted fixed patchinfos.
Comment 14 Thomas Biege 2005-02-01 19:49:11 UTC 
packages approved
Comment 15 Thomas Biege 2009-10-13 20:07:24 UTC 
CVE-2004-1270: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)