Red Hat Bugzilla – Bug 1091565
CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
Last modified: 2015-07-31 03:18:59 EDT
According to Sebastian Krahmer, the initial fix for CVE-2014-2707 (bug #1083326) is incomplete:
This issue was reported as fixed in 1.0.51:
but it was found that the fix was incomplete with the full fix in 1.0.53:
The CVE-2014-2707 flaw is regarding the cups-browsed daemon being manipulated to execute arbitrary commands via malicious broadcast packets.
Created cups-filters tracking bugs for this issue:
Affects: fedora-all [bug 1091569]
cups-filters-1.0.53-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
cups-filters-1.0.53-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
CVE-2014-4336 was assigned for this issue, which is an incomplete fix for CVE-2014-2707, which failed to escape host name in generate_local_queue() properly.
This issue did not affect cups-filters version in Red Hat Enterprise Linux 7. As noted in bug 1083326 comment 5, this flaw is in the code for handling automatic setup of print queues. Support for that functionality was introduced upstream in version 1.0.41, while version used in Red Hat Enterprise Linux 7 is older - 1.0.35.
Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.
(In reply to Vincent Danen from comment #0)
> but it was found that the fix was incomplete with the full fix in 1.0.53:
Note that this commit also addresses another issue that can be used to remotely crash cups-browsed - see CVE-2014-4337 / bug 1111510.