Bugzilla – Bug 601352
VUL-1: CVE-2010-0542: cups: texttops crash
Last modified: 2018-10-19 18:03:29 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. This issue is not public yet, please keep any information about it inside SUSE. Note that build.opensuse.org *cannot* be used to prepare embargoed updates. Looking at the patch this doesn't seem to be more than a crash. CVE-2010-0542 was assigned to CUPS STR#3516: ---------------------- A NULL pointer dereference issue exists in the _WriteProlog function of the texttops image filter. The return value from calloc is not checked. This may lead to a NULL pointer dereference. Since the offset from the pointer at which data is subsequently written is controlled by the user, this issue may lead to application termination or arbitrary code execution. Credit to regenrecht working with iDefense for reporting this issue. ---------------------- This issue was introduced as part of an incomplete patch for CVE-2008-3640.
CRD 27.5. IMO no need for immediate security update.
I am not allowed to access CUPS STR3516. Was there perhaps an info somewhere which CUPS versions are affected?
At least CUPS 1.4.3 what we currently have in openSUSE:Factory is affected...
not really. "1.4.3 and earlier" could mean anything. You need to check the code.
CUPS 1.3.9 what we currently have both in SLE11 and SLE11-SP1 is also affected...
Thanks for the info! I am aleady searching the code...
CUPS 1.1.23 what we currently have in sle10-sp3 is also affected... Here the test --------------------------------------------------------- if (SizeColumns <= 0 || SizeColumns > 32767 || SizeLines <= 0 || SizeLines > 32767) ... exit(1); --------------------------------------------------------- should be added too to be on the safe side.
CUPS 1.1.20 what we currently have in sles9 is also affected... Here also the test --------------------------------------------------------- if (SizeColumns <= 0 || SizeColumns > 32767 || SizeLines <= 0 || SizeLines > 32767) ... exit(1); --------------------------------------------------------- should be added too to be on the safe side.
In short: CUPS in all our maintained distributions is affected. For my own information: Because the bug's status whiteboard is "maint:planned:update" there is no need to fix it immediately (see comment #2) but it must be fixed - for openSUSE:Factory after the issue was published (curent CRD is 27.5. - see comment #2) either by a patch for CUPS 1.4.3 or perhaps via version upgrade to 1.4.4 - for the released and maintained distributions only if another CUPS maintenance update is done. Therefore I keep it assigned but I set the priority for now to "P4 low".
Will be fixed together with bug #601830 (both have same CRD: 27.05)
CUPS 1.4.4 is released now. I will submit it to openSUSE:Factory.
Submitted CUPS 1.4.4 to openSUSE:Factory via submitrequest 41699 I did some basic tests and CUPS 1.4.4 works well for me on my openSUSE 11.3 RC 1 (x86_64) system.
FYI: So that you can better decide whether or not to accept submitrequest 41699 Printing/cups -> openSUSE:Factory see attachment #370092 [details] in https://bugzilla.novell.com/show_bug.cgi?id=601830#c13
Fixed via CUPS 1.4.4 for openSUSE:Factory / openSUSE 11.3 "maint:planned:update" => nothing else to do for now => lowering priority again
(In reply to comment #8) > CUPS 1.1.23 what we currently have in sle10-sp3 > is also affected... > > Here the test > --------------------------------------------------------- > if (SizeColumns <= 0 || SizeColumns > 32767 || > SizeLines <= 0 || SizeLines > 32767) > ... > exit(1); > --------------------------------------------------------- > should be added too to be on the safe side. AFAICS this hunk is already in sle10 and sles9 due to CVE-2008-3640 patch. Fortunately. otherwise, we'd have a bigger problem ...
In comment #7 I wrote "I am aleady searching the code..." and I guess that at that time I searched only our original CUPS sources (cups-VERSION-source.tar.bz2) but not our CUPS sources after all our current patches have been applied so that I got confused by the test which I noticed in the above attachment #358181 [details] (str3516.patch) -------------------------------------------------------------- if (SizeColumns <= 0 || SizeColumns > 32767 || SizeLines <= 0 || SizeLines > 32767) ... exit(1); -------------------------------------------------------------- because this is missing in our original CUPS sources. But this test is already added via our patch cups-1.2.12-texttops_CVE_2008_3640.patch see attachment #336603 [details] and https://bugzilla.novell.com/show_bug.cgi?id=570659#c3 starting at "Our bug report where CVE-2008-3640 was fixed is bug #430543."
Bug #644521 triggered that I submited a fix for this one for SLE-10-SP3 via submitrequest 8645 on https://api.suse.de ------------------------------------------------------------------------------ Request #8645: submit: home:jsmeix:branches:SUSE:SLE-10-SP3:Update:Test/cups(r2)(cleanup) -> SUSE:SLE-10-SP3:Update:Test/cups Message: bnc#644521 with SWAMPID:36311 and bnc#604271 (maint:planned:update) and bnc#601352 (maint:planned:update) but at least for now without a fix for bnc#601830 (maint:planned:update) because its patch is huge and causes regressions so that at least a really thorough QA test of the whole CUPS web interface would be required which could very much delay that the customers get the other fixes so that it is perhaps better to fix bnc#601830 separatedly State: new 2010-10-14T17:06:59 jsmeix Comment: None ------------------------------------------------------------------------------
Bug #644521 triggered that I submited a fix for this one for SLE-9-SP4 via submitrequest 8677 on https://api.suse.de ------------------------------------------------------------------------------ Request #8677: submit: home:jsmeix:branches:SUSE:SLE-9-SP4:Update:Test/cups(r2)(cleanup) -> SUSE:SLE-9-SP4:Update:Test/cups Message: bnc#644521 with SWAMPID:36311 and bnc#604271 (maint:planned:update) and bnc#601352 (maint:planned:update) but at least for now without a fix for bnc#601830 (maint:planned:update) because its patch is huge and causes regressions so that at least a really thorough QA test of the whole CUPS web interface would be required which could very much delay that the customers get the other fixes so that it is perhaps better to fix bnc#601830 separatedly State: new 2010-10-19T14:27:26 jsmeix Comment: None ------------------------------------------------------------------------------
Bug #649256 triggered that I submited a fix for this one for SLE11 via submitrequest 8968 on https://api.suse.de ---------------------------------------------------------------------------- Request #8968: submit: home:jsmeix:branches:SUSE:SLE-11:Update:Test/cups(r4)(cleanup) -> SUSE:SLE-11:Update:Test/cups Message: Security bugfix bnc#649256 SWAMPID 36831 plus fixed patches to apply with fuzz=0 bnc#632867 plus fixed cups web frontend to show jobs for particular printers bnc#631121 plus fixed CUPS firewall config bnc#635012 plus security fix for CUPS web interface bnc#604271 plus security fix for texttops crash bnc#601352 but at least for now without a fix for bnc#601830 (maint:planned:update) because its patch is huge and causes regressions ----------------------------------------------------------------------------
Bug #649256 triggered that I submited a fix for this one for openSUSE:11.1 via the internal build service via submitrequest 9007: ---------------------------------------------------------------------------- Request #9007: submit: home:jsmeix:branches:SUSE:openSUSE:11.1:Update:Test/cups(r3)(cleanup) -> SUSE:openSUSE:11.1:Update:Test/cups Message: Security bugfix bnc#649256 SWAMPID 36831 plus fixed patches to apply with fuzz=0 bnc#632867 plus fixed cups web frontend to show jobs for particular printers bnc#631121 plus fixed CUPS firewall config bnc#635012 plus security fix for CUPS web interface bnc#604271 plus security fix for texttops crash bnc#601352 but at least for now without a fix for bnc#601830 (maint:planned:update) because its patch is huge and causes regressions plus cupsd crash prevention via AVAHI_COMPAT_NOWARN=1 bnc#576507 plus added directory /usr/lib/cups/driver bnc#465794 ----------------------------------------------------------------------------
CVE-2010-0542: CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264)
Bug #649256 triggered that I submited a fix for this one for openSUSE:11.2 via the external build service via submitrequest 53777: ---------------------------------------------------------------------------- Request #53777: submit: home:jsmeix:branches:openSUSE:11.2:Update:Test/cups(r2)(cleanup) -> openSUSE:11.2:Update:Test/cups Message: Security bugfix bnc#649256 SWAMPID 36831 plus fixed patches to apply with fuzz=0 bnc#632867 plus fixed cups web frontend to show jobs for particular printers bnc#631121 plus fixed CUPS firewall config bnc#635012 plus security fix for CUPS web interface bnc#604271 plus security fix for texttops crash bnc#601352 but at least for now without a fix for bnc#601830 (maint:planned:update) because its patch is huge and causes regressions plus cupsd crash prevention via AVAHI_COMPAT_NOWARN=1 bnc#576507 ----------------------------------------------------------------------------
Fixed for all distributions where cups is maintained by me. Reassigning for further processing by the security team.
released everything but moblin packages
removed dependency
This is an autogenerated message for OBS integration: This bug (601352) was mentioned in https://build.opensuse.org/request/show/41699 Factory / cups https://build.opensuse.org/request/show/53777 11.2:Test / cups