Bug 1561296 (CVE-2017-18248)

Summary: CVE-2017-18248 cups: Invalid usernames handled in scheduler/ipp.c:add_job() allow remote attackers to cause a denial of service
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jpopelka, twaugh, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cups 2.2.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 19:59:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1561297, 1561298, 1567005    
Bug Blocks: 1561300    

Description Sam Fowler 2018-03-28 04:29:06 UTC 
CUPS before version 2.2.6 has a vulnerability in the handling of usernames in the scheduler/ipp.c:add_job() function. A remote attacker could exploit this by submitting a print job with an invalid UTF-8 username to cause a crash and subsequent denial of service.


External References:

https://security.cucumberlinux.com/security/details.php?id=346


Upstream Issue:

https://github.com/apple/cups/issues/5143


Upstream Patch:

https://github.com/apple/cups/commit/49fa4983f25b64ec29d548ffa3b9782426007df3
Comment 1 Sam Fowler 2018-03-28 04:29:32 UTC 
Created cups tracking bugs for this issue:

Affects: fedora-all [bug 1561298]
Comment 3 Stefan Cornelius 2018-04-05 07:58:56 UTC 
I've tried to reproduce this, but so far I don't get the crash. I presume that this is because we don't have asserts enabled in our dbus. The only problem is that even when using a custom dbus with asserts enabled, I still don't see a crash.
Comment 4 Stefan Cornelius 2018-04-05 11:38:40 UTC 
In reply to comment 3:
> I've tried to reproduce this, but so far I don't get the crash. I presume
> that this is because we don't have asserts enabled in our dbus. The only
> problem is that even when using a custom dbus with asserts enabled, I still
> don't see a crash.

I do get a crash now, my testing was flawed. Unfortunately, the upstream patch requires 1.7 API in order to have the attribute validation functions, which we don't have in RHEL7.

It's also worth noting that the original issues caused quite a few additional upstream changes, for example https://github.com/apple/cups/issues/5186 https://github.com/apple/cups/issues/5229. Maybe we can use a method similar to the cups-dbus-utf8.patch for bug 863387, but more generalized.