From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Red Hat/1.0.6-1.4.2 Firefox/1.0.6 Description of problem: Connecting to the CUPS daemon on port 631, and sending a http request "GET /..\.." will cause the daemon to enter a tight loop, and eat up all available CPU. Version-Release number of selected component (if applicable): cups-1.1.22-0.rc1.9.7 How reproducible: Always Steps to Reproduce: 1. telnet example.com 631 2. type "GET /..\.." followed by enter twice 3. denial of service Actual Results: denial of service, cups daemon eating up 100% CPU Expected Results: graceful handling of malformed http request Additional info: Security Tracker advisory: http://securitytracker.com/id?1012811 Exploit: http://www.securiteam.com/exploits/5WP021PGUW.html CUPS Release Notes from fixed version: http://www.cups.org/relnotes.php#010123 CUPS bug: http://www.cups.org/str.php?L1042+P0+S-1+C0+I0+E0+Q1042
This bug is fixed in CVS, and in the 1.1.23 release of CUPS.
OSVDB advisory: http://www.osvdb.org/12834 NVE Advisory: http://nvd.nist.gov/nvd.cfm?cvename=CAN-2005-2874 (contains inaccurate information, will update via US-CERT/NVE tomorrow morning) Correct affected version info: * Easy Software Products CUPS 1.1.21 * Easy Software Products CUPS 1.1.22x * Easy Software Products CUPS 1.1.23rc1
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-772.html