Part of djb series In hpgl-input.c, ParseCommand() reads any number of bytes into a 262144-byte buf[] array. http://tigger.uic.edu/~jlongs2/holes/cups.txt First, lppasswd blithely ignores write errors in fputs(line,outfile) at lines 311 and 315 of lppasswd.c, and in fprintf(...) at line 346. An attacker who fills up the disk at the right moment can arrange for /usr/local/etc/cups/passwd to be truncated. Second, if lppasswd bumps into a file-size resource limit while writing passwd.new, it leaves passwd.new in place, disabling all subsequent invocations of lppasswd. Any local user can thus disable lppasswd by running the attached program 63.c. Third, line 306 of lppasswd.c prints an error message to stderr but does not exit. This is not a problem on systems that ensure that file descriptors 0, 1, and 2 are open for setuid programs, but it is a problem on other systems; lppasswd does not check that passwd.new is different from stderr, so it ends up writing a user-controlled error message to passwd if the user closes file descriptor 2. http://tigger.uic.edu/~jlongs2/holes/cups2.txt
This issue also affects FC2
CUPS STRs: http://www.cups.org/str.php?L1023 [I've attached a patch for that] http://www.cups.org/str.php?L1024 [no patch yet]
https://www.redhat.com/archives/fedora-announce-list/2004-December/msg00079.html https://www.redhat.com/archives/fedora-announce-list/2004-December/msg00080.html