Bug 143086

Summary: Bernstein cups issues
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: cupsAssignee: Tim Waugh <twaugh>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 3Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20041215
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-12-22 13:51:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2004-12-16 14:20:34 UTC 
Part of djb series
        In hpgl-input.c, ParseCommand() reads any number of bytes into
        a 262144-byte buf[] array.
        http://tigger.uic.edu/~jlongs2/holes/cups.txt

        First, lppasswd blithely ignores write errors in
        fputs(line,outfile) at lines 311 and 315 of lppasswd.c, and in
        fprintf(...) at line 346. An attacker who fills up the disk at
        the right moment can arrange for /usr/local/etc/cups/passwd to
        be truncated.

        Second, if lppasswd bumps into a file-size resource limit
        while writing passwd.new, it leaves passwd.new in place,
        disabling all subsequent invocations of lppasswd. Any local
        user can thus disable lppasswd by running the attached program
        63.c.

        Third, line 306 of lppasswd.c prints an error message to
        stderr but does not exit. This is not a problem on systems
        that ensure that file descriptors 0, 1, and 2 are open for
        setuid programs, but it is a problem on other systems;
        lppasswd does not check that passwd.new is different from
        stderr, so it ends up writing a user-controlled error message
        to passwd if the user closes file descriptor 2.

        http://tigger.uic.edu/~jlongs2/holes/cups2.txt
Comment 1 Josh Bressers 2004-12-16 14:21:18 UTC 
This issue also affects FC2
Comment 2 Tim Waugh 2004-12-16 14:22:28 UTC 
CUPS STRs:

http://www.cups.org/str.php?L1023 [I've attached a patch for that]
http://www.cups.org/str.php?L1024 [no patch yet]
Comment 12 Tim Waugh 2004-12-22 13:51:23 UTC 
https://www.redhat.com/archives/fedora-announce-list/2004-December/msg00079.html
https://www.redhat.com/archives/fedora-announce-list/2004-December/msg00080.html