Bug 706673

Summary: Cups config parsing segfault
Product: Red Hat Enterprise Linux 6 Reporter: Richard Marko <rissko>
Component: cupsAssignee: Tim Waugh <twaugh>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: azelinka, jpopelka, jscotka, mmalik, pknirsch, prc, rissko
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cups-1.4.2-40.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 784240 (view as bug list) Environment:
Last Closed: 2011-12-06 15:28:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 784240    
Attachments:
Description Flags
Minimized input file
none
GDB short trace
none
GDB full trace
none
Valgrind output
none
GDB short trace #2 none

Description Richard Marko 2011-05-22 08:56:25 UTC
Created attachment 500243 [details]
Minimized input file

Description of problem:
Cups crashing with segfault on attached config file.

Version-Release number of selected component (if applicable):
Version    : 1.4.2
Release    : 35.el6_0.1


How reproducible:
Always


Steps to Reproduce:
1. download attachment
2. run /usr/sbin/cupsd -f -c ./min

  
Actual results:
Segmentation fault


Expected results:
Proper error handling


Additional info:
Fault discovered by fuzzing the configuration file.

Comment 1 Richard Marko 2011-05-22 08:57:28 UTC
Created attachment 500244 [details]
GDB short trace

Comment 2 Richard Marko 2011-05-22 08:57:53 UTC
Created attachment 500245 [details]
GDB full trace

Comment 3 Richard Marko 2011-05-22 08:58:12 UTC
Created attachment 500246 [details]
Valgrind output

Comment 5 Richard Marko 2011-05-22 09:45:44 UTC
Created attachment 500250 [details]
GDB short trace #2

Similar error in parse_aaa function (parsing logic).
I will provide additional information if required.

Comment 8 Jiri Popelka 2011-06-15 09:51:29 UTC
Patch:
http://www.cups.org/strfiles/3861/str3861.patch

Comment 12 errata-xmlrpc 2011-12-06 15:28:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1635.html