Bugzilla – Bug 64369
VUL-0: CVE-2004-1267: CUPS hpgltops ParseCommand overflows
Last modified: 2021-10-27 15:21:02 UTC
We received the following report. The issue is public. The mentioned attachment was not included as we didn't receive the original mail but as upstream apparently was notified they may have it. From djb@cr.yp.to Wed Dec 15 14:21:33 2004 Date: 15 Dec 2004 08:20:11 -0000 From: D. J. Bernstein <djb@cr.yp.to> To: securesoftware@list.cr.yp.to, cups@easysw.com Subject: [remote] [control] CUPS 1.1.22 hpgltops ParseCommand overflows buf Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has discovered a remotely exploitable security hole in CUPS. I'm publishing this notice, but all the discovery credits should be assigned to Berkman. A CUPS installation is at risk whenever it prints an HPGL file obtained from email (or a web page or any other source that could be controlled by an attacker). You are at risk if you print data through a CUPS installation at risk. The source of the HPGL file has complete control over the CUPS ``lp'' account; in particular, he can read and modify the files you are printing. Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type cd /usr/ports/print/cups make install to download and compile the CUPS package, version 1.1.22 (current). Then, as any user, save the file 21.hpgl.gz attached to this message, and type gunzip 21.hpgl /usr/local/libexec/cups/filter/hpgltops \ 15 $USER test-title 1 none 21.hpgl > 21.ps with the unauthorized result that a file named x is removed from the current directory. (I tested this with a 541-byte environment, as reported by printenv | wc -c.) Here's the bug: In hpgl-input.c, ParseCommand() reads any number of bytes into a 262144-byte buf[] array. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago [ Part 2, Application/X-GUNZIP 692bytes. ] [ Unable to print this part. ]
Created attachment 27213 [details] 21.hpgl.gz
reduce sev to normal. can be delayed to after xmas vacation to be handled by Klaus.
====================================================== Candidate: CAN-2004-1267 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1267 Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/cups.txt Buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program for CUPS 1.1.22 allows remote attackers to execute arbitrary code via a crafted HPGL file.
Fixed in: 8.1 (UL1, NLD, SLES8), 8.2, 9.0, 9.1, 9.2 and submitted. Not much tested. security-team please handle rest of process ==> reassign
`patchinfo-box.cups' -> `/work/src/done/PATCHINFO/patchinfo-box.cups' `patchinfo-9.2.cups' -> `/work/src/done/PATCHINFO/patchinfo-9.2.cups' `patchinfo.cups' -> `/work/src/done/PATCHINFO/patchinfo.cups'
Created attachment 27927 [details] 21.hpgl this file crashes the filter on sles9-ppc too
packages approved
CVE-2004-1267: CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)