Bug 415131 (CVE-2007-5849)
Summary: | CVE-2007-5849 CUPS SNMP backend buffer overflow | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED NOTABUG | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | security-response-team, twaugh | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-01-09 12:57:46 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Josh Bressers
2007-12-07 01:15:28 UTC
Tim, In theory this should only affect FC and RHEL5. Can you verify this does indeed not affect RHEL[34]. I know the advisory claims it's 1.2.0+, but it's always wise to check ourselves. Created attachment 280721 [details]
Correct supplied patch
280361 was the wrong patch
according to opengrok the vulnerable code is only in cups in rhel5 it's probably caught by fortify_source too, needs investigation I don't believe this is a security issue. If it is, it's likely a low severity flaw. This is partly due to CUPS being built with stack-protector support. It's only possible to trigger this flaw when an administrator triggers an event to launch the SNMP backend program. This is a helper program which will not affect cupsd if it misbehaves. The flaw in question can be triggered by a malformed SNMP packet that will trigger a stack overflow in the SNMP helper. stack-protector will prevent this exploit from causing anything but a crash in the SNMP helper, so the only possible potential for exploitation here is preventing the administrator from using the SNMP auto discovery feature of CUPS. I agree with Josh's analysis. To confirm: the snmp backend is not present in RHEL releases earlier than 5, so only 5 is vulnerable to this. Since we build cups with stack-protector support this is at worst a denial of service for the "discover remote SNMP printers" functionality, which is an administrator-triggered event. now public, opening bug Issue was addressed in upstream version 1.3.5. http://www.cups.org/articles.php?L519 Fixed upstream version is already in Fedora rawhide and Fedora 8 testing repository. |