Bug 557775 (CVE-2010-0302)

Summary: CVE-2010-0302 cups Incomplete fix for CVE-2009-3553
Product: [Other] Security Response Reporter: Tim Waugh <twaugh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team, vdanen, ykopkova
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,source=redhat,public=20100303,reported=20100122,cvss2=3.3/AV:A/AC:L/Au:N/C:N/I:N/A:P
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 557789 (view as bug list) Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 557789, 563326, 563327    
Bug Blocks:    
Attachments:
Description Flags
cups-CVE-2009-3553-incomplete-fix.patch none

Description Tim Waugh 2010-01-22 15:00:09 UTC
Description of problem:
CVE-2009-3553 (bug #530111) has not been completely fixed.

Version-Release number of selected component (if applicable):
Versions known to be affected:

cups-1.3.7-11.el5_4.5 (RHEL-5.4.z)
cups-1.3.7-16.el5     (RHEL-5)

Additional info:
The cause is that the cupsdDoSelect() function uses one of several implementations depending on the underlying select/poll capabilities of the operating system.  For kqueue and epoll implementations, cupsdRemoveSelect() does not immediately decrease the reference count for the file descriptor and instead adds it to the cupsd_inactive_fds array.  File descriptors in that array are finally dereferenced in cupsdStopSelect() (i.e. program termination).

In Red Hat Enterprise Linux, the epoll implementation is used.

The previous fix for CVE-2009-3553 was to check that another reference was held for the file descriptor before calling the write_cb function; however, that will always be the case for both the epoll and kqueue implementations.

The correct fix is to check whether the file descriptor is in the cupsd_inactive_fds array before calling the write_cb function.

Comment 1 Tim Waugh 2010-01-22 15:02:50 UTC
Created attachment 386167 [details]
cups-CVE-2009-3553-incomplete-fix.patch

Attached is a patch for RHEL-5.4.z.

Comment 2 Tim Waugh 2010-01-22 15:33:07 UTC
Small correction: file descriptions in the cupsd_inactive_fds array are finally dereferenced just before cupsdDoSelect() returns.

Comment 3 Vincent Danen 2010-01-27 04:40:51 UTC
Hi Tim.  Was this incorrect fix provided by upstream, or did we come up with the fix and neglect to deal with the kqueue and epoll implementations?  In other words, is this a Red Hat-only issue, or do we need to alert other vendors and is upstream aware of the incomplete fix?

We'll need to get a new CVE name for this, regardless.  Thanks for the clarification.

Comment 4 Tim Waugh 2010-01-27 09:28:46 UTC
It was my original patch (sorry), but Michael Sweet also missed the problem and committed it upstream for the not-yet-released 1.4.3 version.

We did alert other vendors about CVE-2009-3553 originally, and my patch was proposed.  Michael Sweet replied on that thread saying that was the patch that would be used to fix it, so very likely other vendors are using it as-is.

Upstream is not yet aware of the incomplete fix.

Comment 5 Josh Bressers 2010-01-28 18:45:27 UTC
I've assigned CVE-2010-0302 for this.

Comment 6 Josh Bressers 2010-02-02 20:05:40 UTC
Tim,

Can anyone been told of this yet? I'm not sure how upstream likes to handle security flaws. Some guidance would be appreciated.

Thanks.

Comment 7 Tim Waugh 2010-02-03 11:21:12 UTC
I'm not sure what the protocol is myself.  I didn't want to tell anyone without the say-so of the SRT...

If you're happy for me to report it upstream I can do that? (There is a mechanism for reporting private security bugs on cups.org.)

Comment 8 Josh Bressers 2010-02-03 14:55:08 UTC
Let's start with upstream, once we have a final patch we can tell the vendors.

Thanks.

Comment 9 Tim Waugh 2010-02-03 16:09:32 UTC
Reported upstream.

Comment 22 Vincent Danen 2010-03-03 17:31:14 UTC
The embargo has lifted.

Comment 23 errata-xmlrpc 2010-03-03 17:40:08 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0129 https://rhn.redhat.com/errata/RHSA-2010-0129.html

Comment 24 Fedora Update System 2010-03-05 11:08:07 UTC
cups-1.4.2-26.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cups-1.4.2-26.fc11

Comment 25 Fedora Update System 2010-03-05 11:30:14 UTC
cups-1.4.2-28.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/cups-1.4.2-28.fc12

Comment 26 Fedora Update System 2010-03-05 11:39:05 UTC
cups-1.4.2-34.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/cups-1.4.2-34.fc13

Comment 27 Fedora Update System 2010-03-11 13:24:33 UTC
cups-1.4.2-34.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2010-03-12 04:20:17 UTC
cups-1.4.2-28.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2010-03-13 02:28:53 UTC
cups-1.4.2-26.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.