Bug 1199130 (CVE-2015-2265)

Summary: CVE-2015-2265 cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jpopelka, jrusnack, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-28 10:20:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1199132    
Bug Blocks:    

Description Vasyl Kaigorodov 2015-03-05 13:53:01 UTC 
It was reported [1] that cups-browsed fails to properly sanitise data from the network when creating IPP printer scripts.
As a result, an attacker can remotely create a script containing arbitrary commands, which will be executed as the "lp" user when the associated printer is used.

This is the same vulnerability reported as CVE-2014-2707 but the existing fixes rely on a string sanitisation function remove_bad_chars() which is not effective.

Details:

The remove_bad_chars() function in utils/cups-browsed.c uses the "j" variable as the index of the character to replace in the string to be sanitised.
Consecutive bad characters cause "j" to be decremented, so can result in the bad character remaining unaffected.

The variables sanitised by remove_bad_chars() include the "pdl" field from an avahi broadcast packet. This is used to create a shell script:
"""
    snprintf(buffer, sizeof(buffer),
             "#!/bin/sh\n"
             "# System V interface script for printer %s generated by cups-browsed\n"
             "\n"
             "if [ $# -lt 5 -o $# -gt 6 ]; then\n"
             "  echo \"ERROR: $0 job-id user title copies options [file]\" >&2\n"
             "  exit 1\n"
             "fi\n"
             "\n"
             "# Read from given file\n"
             "if [ -n \"$6\" ]; then\n"
             "  exec \"$0\" \"$1\" \"$2\" \"$3\" \"$4\" \"$5\" < \"$6\"\n"
             "fi\n"
             "\n"
             "extra_options=\"output-format=%s make-and-model=%s\"\n"
             "\n"
             "%s/filter/pdftoippprinter \"$1\" \"$2\" \"$3\" \"$4\" \"$5 $extra_options\"\n",
             p->name, pdl, make_model, cups_serverbin);
"""

The above shell script is then passed to the CUPS server.

To be vulnerable, a remote host must have the "CreateIPPPrinterQueues Yes" directive in /etc/cups/cups-browsed.conf. That setting is not enabled in RHEL7 by default.
Upstream commit:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7333

[1]: https://bugs.linuxfoundation.org/show_bug.cgi?id=1265
Comment 1 Vasyl Kaigorodov 2015-03-05 13:53:34 UTC 
Created cups-filters tracking bugs for this issue:

Affects: fedora-all [bug 1199132]
Comment 2 Vasyl Kaigorodov 2015-03-05 13:54:45 UTC 
According to https://bugzilla.redhat.com/show_bug.cgi?id=1083326#c4, RHEL-7 is not vulnerable to this issue.

Statement:

Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.
Comment 3 Fedora Update System 2015-03-13 17:12:07 UTC 
cups-filters-1.0.66-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-03-13 17:13:06 UTC 
cups-filters-1.0.66-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-03-13 17:16:03 UTC 
cups-filters-1.0.53-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.