This flaw was fixed upstream back in 2010, without much attention being given to the possible security implications of it. It is a remote buffer overflow with possibility of executing arbitrary code, with only a few restrictions, such as having the cups service open to the network and a particular kind of filter in use. Analysis by Engineering shows that only RHEL-6 contains the affected code, so RHEL-5, RHEL-7 and Fedora are not affected. Giving this flaw a Moderate rating, despite the 7.7 CVSSv2 score, as cups is not usually configured widely open to the network or internet at large, and because it depends on a particular kind of filter being used. References: https://bugs.linuxfoundation.org/show_bug.cgi?id=515
The simplified code looks a bit like: >static void unhtmlify(char *dest, size_t size, const char *src) >{ > char *pdest = dest; > const char *psrc = src; > const char *repl; > > while (*psrc && pdest - dest < size) { > if (repl) { > strncpy(pdest, repl, size - (pdest - dest)); > pdest += strlen(repl); > psrc = strchr(psrc, ';') +1; > } > } >*pdest = '\0'; >} The size calculation and the loop condition seem to have an off-by-one-ish problem, but I didn't investigate that; the patch would fix it and there's a bigger problem than a potential off-by-one: > strncpy(pdest, repl, size - (pdest - dest)); > pdest += strlen(repl); We increase pdest by the length of the source string, not taking the remaining space of pdest/dest into account. This could catapult pdest beyond the "dest" boundaries, leading to an out of bounds write when reaching the *pdest = '\0'; part. So, the mechanic at hand is essentially "write a 0 byte at a semi-controlled OOB location on the heap". That's fairly limited but might just be crazy enough to gain code execution.
CVE request: http://www.openwall.com/lists/oss-security/2016/02/15/1
This was assigned CVE-2010-5325 via http://www.openwall.com/lists/oss-security/2016/02/15/7
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0491 https://rhn.redhat.com/errata/RHSA-2016-0491.html