Bug 2214914 (CVE-2023-34241)

Summary: CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chazlett, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in CUPS. This issue occurs due to logging data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data immediately before the connection closed, resulting in a use-after-free in cupsdAcceptClient() in scheduler/client.c
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2214915, 2214917, 2216717, 2216718    
Bug Blocks: 2214604    

Description Sandipan Roy 2023-06-14 04:51:21 UTC 
The exact cause of this issue is the function httpClose(con->http) being called in scheduler/client.c before |httpClose(con->http); cupsdLogClient(con, CUPSDLOGWARN, "IP lookup failed - connection from %s closed!", httpGetHostname(con->http, NULL, 0));|

The problem is that httpClose always, provided its argument is not null,frees the pointer at the end of the call, only for cupsdLogClient to 
pass the pointer to httpGetHostname.
Comment 3 Sandipan Roy 2023-06-22 11:06:45 UTC 
Created cups tracking bugs for this issue:

Affects: fedora-37 [bug 2216717]
Affects: fedora-38 [bug 2216718]