Bug 1091565 (CVE-2014-4336)

Summary: CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, falonso, jkurik, jpopelka, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cups-filters 1.0.53 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-20 07:24:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1091569, 1108197, 1108198    
Bug Blocks: 1095493    

Description Vincent Danen 2014-04-25 22:39:56 UTC 
According to Sebastian Krahmer, the initial fix for CVE-2014-2707 (bug #1083326) is incomplete:

"
This issue was reported as fixed in 1.0.51:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7189

but it was found that the fix was incomplete with the full fix in 1.0.53:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194
"

The CVE-2014-2707 flaw is regarding the cups-browsed daemon being manipulated to execute arbitrary commands via malicious broadcast packets.
Comment 1 Vincent Danen 2014-04-25 23:12:40 UTC 
Created cups-filters tracking bugs for this issue:

Affects: fedora-all [bug 1091569]
Comment 2 Fedora Update System 2014-05-06 03:37:46 UTC 
cups-filters-1.0.53-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-06-10 02:53:18 UTC 
cups-filters-1.0.53-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Tomas Hoger 2014-06-20 07:24:23 UTC 
CVE-2014-4336 was assigned for this issue, which is an incomplete fix for CVE-2014-2707, which failed to escape host name in generate_local_queue() properly.

This issue did not affect cups-filters version in Red Hat Enterprise Linux 7.  As noted in bug 1083326 comment 5, this flaw is in the code for handling automatic setup of print queues.  Support for that functionality was introduced upstream in version 1.0.41, while version used in Red Hat Enterprise Linux 7 is older - 1.0.35.

Statement:

Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.
Comment 13 Tomas Hoger 2014-06-20 08:17:14 UTC 
(In reply to Vincent Danen from comment #0)
> but it was found that the fix was incomplete with the full fix in 1.0.53:
> http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194

Note that this commit also addresses another issue that can be used to remotely crash cups-browsed - see CVE-2014-4337 / bug 1111510.