Sebastian Krahmer of SUSE reported an out of bounds read flaw in the way cups-browsed handled browse packets. A specially crafted packet could cause cups-browsed read behind the end of the buffer that stores incoming packet and possibly crash. The issue was fixed upstream in version 1.0.53 as part of the following commit, which also fixes CVE-2014-4336 (bug 1091565): http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194 The flaw is in process_browse_data(), which fails to properly check packet length while parsing browse packet. The original report in SUSE/Novell bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=871327
All supported Fedora versions are already updated to upstream version 1.0.53 or later and hence are no longer affected by this issue.
IssueDescription: An out-of-bounds read flaw was found in the way the process_browse_data() function of cups-browsed handled certain browse packets. A remote attacker could send a specially crafted browse packet that, when processed by cups-browsed, would crash the cups-browsed daemon.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1795 https://rhn.redhat.com/errata/RHSA-2014-1795.html