Bug 1199130 (CVE-2015-2265) - CVE-2015-2265 cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707)
Summary: CVE-2015-2265 cups-filters: remote command execution in remove_bad_chars() (i...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-2265
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1199132
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-05 13:53 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:33 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-05-28 10:20:37 UTC
Embargoed:

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-03-05 13:53:01 UTC 
It was reported [1] that cups-browsed fails to properly sanitise data from the network when creating IPP printer scripts.
As a result, an attacker can remotely create a script containing arbitrary commands, which will be executed as the "lp" user when the associated printer is used.

This is the same vulnerability reported as CVE-2014-2707 but the existing fixes rely on a string sanitisation function remove_bad_chars() which is not effective.

Details:

The remove_bad_chars() function in utils/cups-browsed.c uses the "j" variable as the index of the character to replace in the string to be sanitised.
Consecutive bad characters cause "j" to be decremented, so can result in the bad character remaining unaffected.

The variables sanitised by remove_bad_chars() include the "pdl" field from an avahi broadcast packet. This is used to create a shell script:
"""
    snprintf(buffer, sizeof(buffer),
             "#!/bin/sh\n"
             "# System V interface script for printer %s generated by cups-browsed\n"
             "\n"
             "if [ $# -lt 5 -o $# -gt 6 ]; then\n"
             "  echo \"ERROR: $0 job-id user title copies options [file]\" >&2\n"
             "  exit 1\n"
             "fi\n"
             "\n"
             "# Read from given file\n"
             "if [ -n \"$6\" ]; then\n"
             "  exec \"$0\" \"$1\" \"$2\" \"$3\" \"$4\" \"$5\" < \"$6\"\n"
             "fi\n"
             "\n"
             "extra_options=\"output-format=%s make-and-model=%s\"\n"
             "\n"
             "%s/filter/pdftoippprinter \"$1\" \"$2\" \"$3\" \"$4\" \"$5 $extra_options\"\n",
             p->name, pdl, make_model, cups_serverbin);
"""

The above shell script is then passed to the CUPS server.

To be vulnerable, a remote host must have the "CreateIPPPrinterQueues Yes" directive in /etc/cups/cups-browsed.conf. That setting is not enabled in RHEL7 by default.
Upstream commit:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7333

[1]: https://bugs.linuxfoundation.org/show_bug.cgi?id=1265
Comment 1 Vasyl Kaigorodov 2015-03-05 13:53:34 UTC 
Created cups-filters tracking bugs for this issue:

Affects: fedora-all [bug 1199132]
Comment 2 Vasyl Kaigorodov 2015-03-05 13:54:45 UTC 
According to https://bugzilla.redhat.com/show_bug.cgi?id=1083326#c4, RHEL-7 is not vulnerable to this issue.

Statement:

Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.
Comment 3 Fedora Update System 2015-03-13 17:12:07 UTC 
cups-filters-1.0.66-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-03-13 17:13:06 UTC 
cups-filters-1.0.66-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-03-13 17:16:03 UTC 
cups-filters-1.0.53-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.