Bug 1091565 (CVE-2014-4336) - CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
Summary: CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-4336
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1091569 1108197 1108198
Blocks: 1095493
TreeView+ depends on / blocked
 
Reported: 2014-04-25 22:39 UTC by Vincent Danen
Modified: 2021-02-17 06:37 UTC (History)
5 users (show)

Fixed In Version: cups-filters 1.0.53
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-20 07:24:23 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2014-04-25 22:39:56 UTC
According to Sebastian Krahmer, the initial fix for CVE-2014-2707 (bug #1083326) is incomplete:

"
This issue was reported as fixed in 1.0.51:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7189

but it was found that the fix was incomplete with the full fix in 1.0.53:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194
"

The CVE-2014-2707 flaw is regarding the cups-browsed daemon being manipulated to execute arbitrary commands via malicious broadcast packets.

Comment 1 Vincent Danen 2014-04-25 23:12:40 UTC
Created cups-filters tracking bugs for this issue:

Affects: fedora-all [bug 1091569]

Comment 2 Fedora Update System 2014-05-06 03:37:46 UTC
cups-filters-1.0.53-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2014-06-10 02:53:18 UTC
cups-filters-1.0.53-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Tomas Hoger 2014-06-20 07:24:23 UTC
CVE-2014-4336 was assigned for this issue, which is an incomplete fix for CVE-2014-2707, which failed to escape host name in generate_local_queue() properly.

This issue did not affect cups-filters version in Red Hat Enterprise Linux 7.  As noted in bug 1083326 comment 5, this flaw is in the code for handling automatic setup of print queues.  Support for that functionality was introduced upstream in version 1.0.41, while version used in Red Hat Enterprise Linux 7 is older - 1.0.35.

Statement:

Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.

Comment 13 Tomas Hoger 2014-06-20 08:17:14 UTC
(In reply to Vincent Danen from comment #0)
> but it was found that the fix was incomplete with the full fix in 1.0.53:
> http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194

Note that this commit also addresses another issue that can be used to remotely crash cups-browsed - see CVE-2014-4337 / bug 1111510.


Note You need to log in before you can comment on or make changes to this bug.