Bug 152782 - CAN-2004-0558 - CUPS denial of service
CAN-2004-0558 - CUPS denial of service
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
1, LEGACY, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-15 15:26 EDT by Marc Deslauriers
Modified: 2008-05-01 11:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:27:17 EST
Alvaro Martinez Echevarria reported a bug in the CUPS Internet Printing
Protocol (IPP) implementation in versions of CUPS prior to 1.1.21. An
attacker could send a carefully crafted UDP packet to the IPP port which
could cause CUPS to stop listening to the port and result in a denial of
service. In order to exploit this bug, an attacker would need to have the
ability to send a UDP packet to the IPP port (by default 631). The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0558 to this issue.

See:

https://rhn.redhat.com/errata/RHSA-2004-449.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-17 13:20:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for rh9:

Changelog:
* Fri Sep 17 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
1.1.17-13.3.0.4.legacy
- - Apply patch to fix CAN-2004-0558

1be0349bb0063b09b792e998bbcfe0fecba0e835  cups-1.1.17-13.3.0.4.legacy.i386.rpm
7360d83696a183cb255eba91a57917fcadea0703  cups-1.1.17-13.3.0.4.legacy.src.rpm
f63c4c30850b347a15f38b3f0a184558de4ecee1  cups-devel-1.1.17-13.3.0.4.legacy.i386.rpm
8e581f6710e5c39693979981d08728d6fe7438d4  cups-libs-1.1.17-13.3.0.4.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/cups-1.1.17-13.3.0.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cups-1.1.17-13.3.0.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cups-devel-1.1.17-13.3.0.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cups-libs-1.1.17-13.3.0.4.legacy.i386.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBS3FTLMAs/0C4zNoRAlmFAKC2Pi17wmNpsqLmyCvVvBUKrZKuTgCgwBiN
QBaYX0jWP39Q73yhG82kIMw=
=lDKm
-----END PGP SIGNATURE-----




------- Additional Comments From twaugh@redhat.com 2004-09-28 05:03:15 ----

A Fedora Core 1 package is here:

ftp://people.redhat.com/twaugh/legacy/2072/



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-09-28 05:51:37 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on tim's cups-1.1.19-13.1.src.rpm for FC1
(b625963a5dd2ba5bd9f5576a2301d417cc0ce8be):
 
- - spec file looks good, but what about legacy in the version?
- - sources are the same as cups-1.1.19-13, with patch for CAN-2004-0558
- - patch looks good
- - builds ok
- - installs ok
- - runs ok
 
tim did not include legacy in his version, so i rebuilt with one. if
these are needed they are available from:
  
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/
 
* Tue Sep 28 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1:1.1.19-13.1.legacy
- - added legacy tag and rebuilt
  
* Mon Aug 23 2004 Tim Waugh <twaugh@redhat.com> 1:1.1.19-13.1
- - Add version to LPRng obsoletes: tag.
- - Apply patch to fix CAN-2004-0558 (bug #130646).
 
 
8f1773828fd0c8097abb516252d469340afbe7d9  cups-1.1.19-13.1.legacy.src.rpm
c6760ef57b8b6cca152f511e00a6826484a1fda8  cups-1.1.19-13.1.legacy.i386.rpm
6f06b48ef1c2a5f1ecbf9f0ee171c262b24de943  cups-debuginfo-1.1.19-13.1.legacy.i386.rpm
39fb75e909ea0698821e6907f3e09c05e5f13c0d  cups-devel-1.1.19-13.1.legacy.i386.rpm
9adff3742baa9756c61e0eed9f338650cc8bae39  cups-libs-1.1.19-13.1.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBWYhCtU2XAt1OWnsRApnwAKC5ZtxPOBY7pxoxogoSweBWqrKEFACfRxiJ
feXBuBfls7p7SNsy1hptQXg=
=XXje
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-28 08:04:18 ----

Thanks for the packages Tim!



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-28 09:13:20 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on Tim's package also:

b625963a5dd2ba5bd9f5576a2301d417cc0ce8be cups-1.1.19-13.1.src.rpm

- - Source files are identical to previous release
- - Patch file looks good
- - Spec file looks good
- - Builds, installs and runs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWbfvLMAs/0C4zNoRAv+hAJsEsX/MaCddXMDSUESFC4P4Zsmb3gCgkoGk
VcBNPwYPFPNUERfH86H0XdY=
=QfRA
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom@netikka.fi 2004-09-28 11:00:47 ----

I did a QA on RH 9 cups pckages in comment 9.

sha1sum is ok.
Installs ok.
Basic testing and it seems to work ok, printer queues are ok just like they
where defined before the uppdate.
Patch looks ok.
Spec file looks ok.

PUBLISH+





------- Additional Comments From dom@earth.li 2004-09-28 11:35:57 ----

Johnny,

Could you sign your QAs and include the sha1sums of the packages concerned?

Thanks!



------- Additional Comments From mule@umich.edu 2004-09-29 17:14:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
1be0349bb0063b09b792e998bbcfe0fecba0e835  cups-1.1.17-13.3.0.4.legacy.i386.rpm
7360d83696a183cb255eba91a57917fcadea0703  cups-1.1.17-13.3.0.4.legacy.src.rpm
f63c4c30850b347a15f38b3f0a184558de4ecee1  cups-devel-1.1.17-13.3.0.4.legacy.i386.rpm
8e581f6710e5c39693979981d08728d6fe7438d4  cups-libs-1.1.17-13.3.0.4.legacy.i386. rpm
 
For Red Hat 9:
 
* Checked spec file - OK
* Check patch for CAN-2004-0558 - OK
* Build from source - OK
* Installs - OK
* Runs - OK
 
PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBW3nxTsaUa9pp4VIRArrQAKCyiAvSTLLB0KOtiW8cPPp4exHQrQCg8AqJ
OLurzXQVQZrsQFjK/phdS3s=
=Yol1
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-01 13:42:53 ----

pushed to updates-testing



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-03 04:36:47 ----

Rebuilt to get stripped binaries. New version will appear in updates-testing at
next sync.



------- Additional Comments From sheltren@cs.ucsb.edu 2004-10-07 06:40:15 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verifying packages for RH9:

dc9e67863c6ed358eca94f36f04c2549be49bee7  cups-1.1.17-13.3.0.6.legacy.i386.rpm
fc7fd1c2c7ad79e2c419b5440e6b0e0a88b2e276  cups-devel-1.1.17-13.3.0.6.legacy.i386.rpm
39f6b741f82f6e566351d15f7ec384f0cde9a17e  cups-libs-1.1.17-13.3.0.6.legacy.i386.rpm

Signatures are OK
Packages install OK
Was able to add a new print queue and print OK

VERIFY++ 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBZXE5Ke7MLJjUbNMRApcSAJ4r++raupb8lZEWyniv79G1WC6FXACfc4oj
cbktMEz41YsBEz+0rgmmflU=
=Xjvh
-----END PGP SIGNATURE-----



------- Additional Comments From sheltren@cs.ucsb.edu 2004-10-15 08:09:08 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Since nobody else has gotten to it, here's my verify for FC1 packages:

e7684dfcd7142714848be20e318e5c58aed2b481  cups-1.1.19-13.2.legacy.i386.rpm
8dbb4ea34d20de5b70e1672e60794fcfe5021f4b  cups-devel-1.1.19-13.2.legacy.i386.rpm
369439d5c253a361ffd64f892efc448c62d54e94  cups-libs-1.1.19-13.2.legacy.i386.rpm

Signatures are OK
Packages install OK
Was able to add a new print queue and print OK

VERIFY++ 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD4DBQFBcBHtKe7MLJjUbNMRAvKLAJYhIzq2YGvJPDsD7TE7aR2+S4prAKCbrQos
/fzgVY11TtmK+Uek/xGSpA==
=obLQ
-----END PGP SIGNATURE-----



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-16 08:11:47 ----

These packages were pushed to official updates.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:27 -------

This bug previously known as bug 2072 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2072
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.