Bug 168106

Summary: CAN-2005-2874 Malformed HTTP Request URL denial of service
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: cupsAssignee: Tim Waugh <twaugh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://securitytracker.com/id?1012811
Whiteboard: impact=moderate,reported=20050912,public=20050107,source=bugzilla
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-25 11:48:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-09-12 14:47:51 UTC 
+++ This bug was initially created as a clone of Bug #168072 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909
Red Hat/1.0.6-1.4.2 Firefox/1.0.6

Description of problem:
Connecting to the CUPS daemon on port 631, and sending a http request "GET
/..\.." will cause the daemon to enter a tight loop, and eat up all available CPU.

Version-Release number of selected component (if applicable):
cups-1.1.22-0.rc1.9.7

How reproducible:
Always

Steps to Reproduce:
1. telnet example.com 631
2. type "GET /..\.." followed by enter twice
3. denial of service
  

Actual Results:  denial of service, cups daemon eating up 100% CPU

Expected Results:  graceful handling of malformed http request

Additional info:

Security Tracker advisory: http://securitytracker.com/id?1012811
Exploit: http://www.securiteam.com/exploits/5WP021PGUW.html
CUPS Release Notes from fixed version: http://www.cups.org/relnotes.php#010123
CUPS bug: http://www.cups.org/str.php?L1042+P0+S-1+C0+I0+E0+Q1042
Comment 1 Fedora Update System 2005-09-22 16:25:02 UTC 
From User-Agent: XML-RPC

cups-1.1.22-0.rc1.8.7 has been pushed for FC3, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 2 Mark J. Cox 2005-10-25 11:48:15 UTC 
        CAN-2005-2874 Affects: FC3 [#168106:ASSIGNED] -> FEDORA-2005-908