CUPS before version 2.2.6 has a vulnerability in the handling of usernames in the scheduler/ipp.c:add_job() function. A remote attacker could exploit this by submitting a print job with an invalid UTF-8 username to cause a crash and subsequent denial of service. External References: https://security.cucumberlinux.com/security/details.php?id=346 Upstream Issue: https://github.com/apple/cups/issues/5143 Upstream Patch: https://github.com/apple/cups/commit/49fa4983f25b64ec29d548ffa3b9782426007df3
Created cups tracking bugs for this issue: Affects: fedora-all [bug 1561298]
I've tried to reproduce this, but so far I don't get the crash. I presume that this is because we don't have asserts enabled in our dbus. The only problem is that even when using a custom dbus with asserts enabled, I still don't see a crash.
In reply to comment 3: > I've tried to reproduce this, but so far I don't get the crash. I presume > that this is because we don't have asserts enabled in our dbus. The only > problem is that even when using a custom dbus with asserts enabled, I still > don't see a crash. I do get a crash now, my testing was flawed. Unfortunately, the upstream patch requires 1.7 API in order to have the attribute validation functions, which we don't have in RHEL7. It's also worth noting that the original issues caused quite a few additional upstream changes, for example https://github.com/apple/cups/issues/5186 https://github.com/apple/cups/issues/5229. Maybe we can use a method similar to the cups-dbus-utf8.patch for bug 863387, but more generalized.