Bug 64684 (CVE-2005-2874)

Summary: VUL-0: CVE-2005-2874: cups denial of service attack
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-2874: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2005-01-10 18:20:32 UTC 
http://www.cups.org/str.php?L1042+P0+S-1+C0+I0+E0+Q1042 
23:12 Dec 30, 2004 
 
I noticed your fix on STR#866 caused critical hang-up when invalid URL came. 
For example, 'GET /..a HTTP/1.1'. 
(This bug was found by nessus security audit software) 
 
I found the point, is_path_absolute in scheduler/client.c. 
 
  while ((path = strstr(path, "/..")) != NULL) 
    if (!path[3] || path[3] == '/') 
      return (0); 
 
It should increment path pointer, isn't it? 
 
  while ((path = strstr(path, "/..")) != NULL) { 
    if (!path[3] || path[3] == '/') 
      return (0); 
    path++; 
  }
Comment 1 Marcus Meissner 2005-01-10 18:20:32 UTC 
<!-- SBZ_reproduce  -->
n/a
Comment 2 Marcus Meissner 2005-01-10 18:20:44 UTC 
klaus, not sure if we are affected. perhaps we are.
Comment 3 Johannes Meixner 2005-01-17 19:03:31 UTC 
General information for security-team regarding our cupsd security:

If our "cups-1.1.19-preauth_security.patch" prevents arbitrary users
(in particular those from external networks) to send invalid data
to the cupsd then this DoS attack may be of minor importance for us.

Reason:
Any user who is allowed to print can always do DoS-like stuff,
for example by sending this job to all print queues
  %!PS
  { } loop
which will hang up any PostScript interpreter (Ghostscript or
the printer's built-in interpreter).

Regarding "cups-1.1.19-preauth_security.patch" see bug 43396 and
http://portal.suse.com/sdb/en/2003/09/jsmeix_print-einrichten-90.html
"Generalized Functionality for BrowseAllow and BrowseDeny".
Comment 4 Klaus Singvogel 2005-01-20 22:40:07 UTC 
Only 9.2 is affected.
Comment 5 Klaus Singvogel 2005-01-20 22:50:24 UTC 
Fixed in: 9.2 
Not affected: 8.1 (UL1, NLD, SLES8), 8.2, 9.0, 9.1 
and new packages submitted.   
   
Not much tested (yet). 
   
security-team please handle rest of update process ==> reassigning it
Comment 6 Thomas Biege 2005-01-21 19:53:39 UTC 
/work/src/done/PATCHINFO/patchinfo-9.2.cups
Comment 7 Thomas Biege 2005-01-21 20:32:58 UTC 
`patchinfo-box.cups' -> `/work/src/done/PATCHINFO/patchinfo-box.cups' 
`patchinfo-9.2.cups' -> `/work/src/done/PATCHINFO/patchinfo-9.2.cups' 
`patchinfo.cups' -> `/work/src/done/PATCHINFO/patchinfo.cups'
Comment 8 Thomas Biege 2005-02-01 19:47:17 UTC 
packages approved
Comment 9 Klaus Singvogel 2005-09-14 10:41:13 UTC 
Before questions arise: CAN number is: AN-2005-2874
Comment 10 Ludwig Nussel 2005-09-14 10:46:11 UTC 
CAN-2005-2874 
my query only finds it without typo :)
Comment 11 Thomas Biege 2009-10-13 20:56:28 UTC 
CVE-2005-2874: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)