Bug 1087018 - (CVE-2017-18248) VUL-0: CVE-2017-18248: cups: The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification.
(CVE-2017-18248)
VUL-0: CVE-2017-18248: cups: The add_job function in scheduler/ipp.c in CUPS ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Johannes Meixner
Security Team bot
https://smash.suse.de/issue/202702/
CVSSv3:SUSE:CVE-2017-18248:6.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-27 07:33 UTC by Karol Babioch
Modified: 2019-07-01 15:58 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-03-27 07:33:08 UTC
CVE-2017-18248

The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support
is enabled, can be crashed by remote attackers by sending print jobs with an
invalid username, related to a D-Bus notification.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18248
https://security.cucumberlinux.com/security/details.php?id=346
https://github.com/apple/cups/releases/tag/v2.2.6
https://github.com/apple/cups/issues/5143
https://github.com/apple/cups/commit/49fa4983f25b64ec29d548ffa3b9782426007df3
Comment 1 Karol Babioch 2018-03-27 07:34:38 UTC
This is split off from bug 1061066.

Johannes, am I correct with my assessment that "SUSE:SLE-11:Update" and "SUSE:SLE-12:Update" are affected, and "SUSE:SLE-10-SP3:Update" is not? Will you submit to SUSE:SLE-11:Update also, since this has security implications?
Comment 2 Karol Babioch 2018-03-27 07:52:29 UTC
Also, could you please re-submit for SLE12 with this bug number and CVE as reference? This will make our tracking bots happy ;). Thank you very much!
Comment 3 Johannes Meixner 2018-03-27 09:37:14 UTC
Karol Babioch,
I wonder why it seems this issue is regarded as a CUPS-only issue
regardless that I wrote eveywhere that the actual root cause
is our misbehaving libdbus and that this misbehaving libdbus is
likely only at SUSE and openSUSE, in particular see
https://bugzilla.suse.com/show_bug.cgi?id=1061066#c6
https://bugzilla.suse.com/show_bug.cgi?id=1061066#c40
https://bugzilla.suse.com/show_bug.cgi?id=1061066#c44
https://github.com/apple/cups/issues/5143#issuecomment-339364524

Simply put:
I wonder why not the actual root cause is fixed?

Regarding SLE11:
In bsc#1061066 we never tested anything for SLE11.
Testing it and if SLE11 is affected backporting the fixes
will take very much time (if possible at all for me
with my very limited knowledge about CUPS internals)
which means I cannot do any further work for SLE15
while I am working on this issue.

Stefan Fent, Stefan Behlert,
decide about my priorities - I cannot.
Comment 4 Johannes Meixner 2018-03-27 12:26:24 UTC
CUPS in SLE11 is not affected in practice because
in SLE11 our dbus-1 is compiled without those assertions enabled
that let libdbus abort() its caller process
-------------------------------------------------------------------------
$ isc rbl SUSE:SLE-11-SP1:GA dbus-1 standard x86_64 | grep assert
        Building assertions:      no
-------------------------------------------------------------------------
so that a non-UTF8 value (e.g. a non-UTF8 user account name)
in an IPP print job is passed by the SLE11 cupsd "as is"
to libdbus but libdbus in SLE11 does not abort() the cupsd process.

When I do the test as in
https://github.com/apple/cups/issues/5143#issuecomment-338599888
with a SLE11 CUPS server I see the non-UTF8 user account name
in /var/log/cups/error_log but the submitted print job gets
normally processed regardless of that non-UTF8 value.

In SLE11 we have dbus-1.2.10.tar.bz2 where its configure script shows
-------------------------------------------------------------------------
$ ./configure --help | grep assert
  --enable-asserts        include assertion checks
-------------------------------------------------------------------------
and I assume that the default configure behaviour is
to not enable-asserts.

In contrast in SLE12 we have dbus-1.10.20.tar.gz where it seems
those assertions are enabled that let libdbus abort() its caller process.
Comment 5 Johannes Meixner 2018-03-27 12:39:06 UTC
Perhaps my above sketchy analysis is wrong and the actual reason
why on SLE11 our libdbus does not abort() its caller cupsd
in case of an non-UTF8 user account name is not how
our dbus-1 is compiled but that on SLE11 dbus-1.2.10
has much less of the '_dbus_abort ()' calls
(that do the actual 'abort ()' call in dbus/dbus-sysdeps.c)
compared to dbus-1.10.20 on SLE12.
Comment 6 Johannes Meixner 2018-03-27 12:45:05 UTC
CUPS in SLE10 cannot be affected because
in SLE10 /usr/sbin/cupsd is not linked with libdbus.
Comment 7 Johannes Meixner 2018-03-27 14:55:41 UTC
Regarding comment#2 I did:
--------------------------------------------------------------------------
$ isc mr -m 'Updated and enhanced RPM changelog entry with additional \
 references to bsc#1087018 CVE-2017-18248 and bsc#1087072' \
 home:jsmeix:branches:SUSE:SLE-12:Update cups.SUSE_SLE-12_Update \
 SUSE:SLE-12:Update
Using target project 'SUSE:Maintenance'
160328
--------------------------------------------------------------------------
Comment 8 Johannes Meixner 2018-03-27 15:00:05 UTC
Karol Babioch,
regarding your comment#1 and my
comment#4 "CUPS in SLE11 is not affected in practice" and
comment#6 "CUPS in SLE10 cannot be affected":

Is a fix only for SLE12 sufficient?
Comment 9 Karol Babioch 2018-03-27 15:02:48 UTC
Yes, SLE-12 is sufficient then. Please re-submit with the CVE and bug number, though ;). Thanks!
Comment 10 Karol Babioch 2018-03-27 15:04:08 UTC
Ah, you already changed the references. That's great, thank you very much. Everything should be okay then.
Comment 11 Johannes Meixner 2018-03-27 15:06:01 UTC
Many thanks for your prompt reply!
Do you close this bug as "fixed" or should I do that?
Comment 17 Swamp Workflow Management 2018-08-01 16:11:30 UTC
SUSE-SU-2018:2162-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1050082,1061066,1087018,1096405,1096406,1096407,1096408
CVE References: CVE-2017-18248,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    cups-1.7.5-20.14.1
SUSE Linux Enterprise Server 12-SP3 (src):    cups-1.7.5-20.14.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    cups-1.7.5-20.14.1
Comment 18 Swamp Workflow Management 2018-08-07 19:09:13 UTC
openSUSE-SU-2018:2239-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1050082,1061066,1087018,1096405,1096406,1096407,1096408
CVE References: CVE-2017-18248,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Sources used:
openSUSE Leap 42.3 (src):    cups-1.7.5-12.6.1
Comment 19 Johannes Meixner 2019-07-01 15:58:53 UTC
.