Bug 490597 (CVE-2009-0164)
Summary: | CVE-2009-0164 cups: insufficient checking of the HTTP Host: header | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, kreilly, twaugh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-11-10 16:25:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
Jan Lieskovsky
2009-03-17 08:15:09 UTC
Created attachment 335489 [details]
Upstream Host: header checking patch
Created attachment 337477 [details]
Upstream documentation patch describing adding of new ServerAlias configuration directive
Created attachment 337478 [details]
The ServerAlias docs patch ported to RHEL-3 (1.1.17) cups -- similar change will be needed yet for doc/sam.shtml file yet
The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. The check introduced by this patch may break existing installations, where CUPS printing server is accessed by clients using DNS CNAME, that is not configured as a hostname or hostname alias on the server. After applying this patch, CUPS server would refuse any connection attempts from such clients. Created attachment 337735 [details]
Updated upstream patch
This patch adds support for localhost.localdomain as alternate localhost name. It also adds support for '*' wildcard for use with ServerAlias directive. This can be used to allow any name to be used in Host: header for non-localhost connections (localhost connections are treated separately, not influenced by ServerAlias settings) to emulate the behavior of older CUPS versions.
Fixed upstream in 1.3.10, lifting embargo: http://www.cups.org/articles.php?L582 cups-1.3.10-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/cups-1.3.10-1.fc9 cups-1.3.10-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/cups-1.3.10-1.fc10 cups-1.3.10-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. cups-1.3.10-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. CVE-2009-0164: The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks. Adding pointer to upstream STR #3164, "httpSetField needs to bracket IPv6 addresses for HTTP_FIELD_HOST". This fix is required otherwise local connections may be denied. Adding pointer to upstream STR #3167, "ServerName not treated as allowed Host: value". This fix is required otherwise connections made using the ServerName hostname will be denied unless there is also a ServerAlias for that name. I have seen some odd behaviour on Fedora 10 but have not been able to reproduce it, and it may be related to this change which is included in 1.3.10. The problem seemed to be that cupsd was taking a very long time to look up the hostname associated with each network interface (some of which have no associated hostname), and doing this each time it sent browse information. While it was doing this it could not process any IPP requests. Statement: The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the security risk. We therefore have no plans to fix this flaw in Red Hat Enterprise Linux 4 and 5. Created attachment 532352 [details]
cups-CVE-2009-0164.patch
Here's a patch that bundles all the fixes together.
The two extra spec file changes required are:
%install
...
# Disable Host: checking by default for compatibility. The
# ServerAlias directive was added in 1.3.10.
for suffix in conf conf.default; do
cat <<"EOF" >> $RPM_BUILD_ROOT%{_sysconfdir}/cups/cupsd."$suffix"
# You should list each hostname alias used for this server so that it
# can verify the correct name is used for it. Using "ServerAlias *"
# disables checking.
ServerAlias *
EOF
done
...
%triggerpostun -- %{name} < 1:1.3.7-30
if [ "$1" -gt 0 ]; then
CONF=%{_sysconfdir}/cups/cupsd.conf
if ! grep -qiw ServerAlias "$CONF"; then
cp -a "$CONF" "$CONF".rpmorig
cat <<"EOF" >> "$CONF"
# You should list each hostname alias used for this server so that it
# can verify the correct name is used for it. Using "ServerAlias *"
# disables checking.
ServerAlias *
EOF
/sbin/service cups condrestart > /dev/null 2>&1 || :
fi
fi
Created attachment 532590 [details]
cups.spec.patch
Proposed spec changes.
Given the risks of the fix, low impact of the issue, and the fact we'd need to effectively disable the fix by default, we're not planning to add this fix to Red Hat Enterprise Linux 4 and 5. The fix is already available in Red Hat Enterprise Linux 6 since the initial release. |