Bug 415131 (CVE-2007-5849)

Summary: CVE-2007-5849 CUPS SNMP backend buffer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-09 12:57:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Correct supplied patch none

Description Josh Bressers 2007-12-07 01:15:28 UTC
Wei Wang of McAfee AVERT Research discovered a buffer overflow flaw in the SNMP
backed of CUPS.  It may be possible for a remote attacker to send a specially
crafted SNMP packet that would allow for the execution of arbitrary code as the
cupsd user.

Comment 4 Josh Bressers 2007-12-07 01:22:36 UTC
Tim,

In theory this should only affect FC and RHEL5.  Can you verify this does indeed
not affect RHEL[34].  I know the advisory claims it's 1.2.0+, but it's always
wise to check ourselves.

Comment 5 Mark J. Cox 2007-12-07 06:31:34 UTC
Created attachment 280721 [details]
Correct supplied patch

280361 was the wrong patch

Comment 6 Mark J. Cox 2007-12-07 06:33:37 UTC
according to opengrok the vulnerable code is only in cups in rhel5
it's probably caught by fortify_source too, needs investigation

Comment 8 Josh Bressers 2007-12-07 19:42:42 UTC
I don't believe this is a security issue.  If it is, it's likely a low severity
flaw.  This is partly due to CUPS being built with stack-protector support.

It's only possible to trigger this flaw when an administrator triggers an event
to launch the SNMP backend program.  This is a helper program which will not
affect cupsd if it misbehaves.

The flaw in question can be triggered by a malformed SNMP packet that will
trigger a stack overflow in the SNMP helper.  stack-protector will prevent this
exploit from causing anything but a crash in the SNMP helper, so the only
possible potential for exploitation here is preventing the administrator from
using the SNMP auto discovery feature of CUPS.

Comment 9 Tim Waugh 2007-12-10 15:48:36 UTC
I agree with Josh's analysis.

To confirm: the snmp backend is not present in RHEL releases earlier than 5, so
only 5 is vulnerable to this.  Since we build cups with stack-protector support
this is at worst a denial of service for the "discover remote SNMP printers"
functionality, which is an administrator-triggered event.

Comment 10 Mark J. Cox 2007-12-31 23:01:22 UTC
now public, opening bug

Comment 11 Tomas Hoger 2008-01-09 12:57:46 UTC
Issue was addressed in upstream version 1.3.5.
  http://www.cups.org/articles.php?L519

Fixed upstream version is already in Fedora rawhide and Fedora 8 testing repository.