Bug 1091565 - (CVE-2014-4336) CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140423,repo...
: Security
Depends On: 1091569 1108197 1108198
Blocks: 1095493
  Show dependency treegraph
 
Reported: 2014-04-25 18:39 EDT by Vincent Danen
Modified: 2015-07-31 03:18 EDT (History)
5 users (show)

See Also:
Fixed In Version: cups-filters 1.0.53
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-20 03:24:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2014-04-25 18:39:56 EDT
According to Sebastian Krahmer, the initial fix for CVE-2014-2707 (bug #1083326) is incomplete:

"
This issue was reported as fixed in 1.0.51:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7189

but it was found that the fix was incomplete with the full fix in 1.0.53:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194
"

The CVE-2014-2707 flaw is regarding the cups-browsed daemon being manipulated to execute arbitrary commands via malicious broadcast packets.
Comment 1 Vincent Danen 2014-04-25 19:12:40 EDT
Created cups-filters tracking bugs for this issue:

Affects: fedora-all [bug 1091569]
Comment 2 Fedora Update System 2014-05-05 23:37:46 EDT
cups-filters-1.0.53-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-06-09 22:53:18 EDT
cups-filters-1.0.53-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Tomas Hoger 2014-06-20 03:24:23 EDT
CVE-2014-4336 was assigned for this issue, which is an incomplete fix for CVE-2014-2707, which failed to escape host name in generate_local_queue() properly.

This issue did not affect cups-filters version in Red Hat Enterprise Linux 7.  As noted in bug 1083326 comment 5, this flaw is in the code for handling automatic setup of print queues.  Support for that functionality was introduced upstream in version 1.0.41, while version used in Red Hat Enterprise Linux 7 is older - 1.0.35.

Statement:

Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.
Comment 13 Tomas Hoger 2014-06-20 04:17:14 EDT
(In reply to Vincent Danen from comment #0)
> but it was found that the fix was incomplete with the full fix in 1.0.53:
> http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194

Note that this commit also addresses another issue that can be used to remotely crash cups-browsed - see CVE-2014-4337 / bug 1111510.

Note You need to log in before you can comment on or make changes to this bug.