2214914 – (CVE-2023-34241) CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c

Bug 2214914 (CVE-2023-34241) - CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c

Summary: CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c

Keywords:
Status:	NEW
Alias:	CVE-2023-34241
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2214915 2214917 2216717 2216718
Blocks:	2214604
TreeView+	depends on / blocked

Reported:	2023-06-14 04:51 UTC by Sandipan Roy
Modified:	2023-07-07 08:33 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in CUPS. This issue occurs due to logging data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data immediately before the connection closed, resulting in a use-after-free in cupsdAcceptClient() in scheduler/client.c
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Sandipan Roy 2023-06-14 04:51:21 UTC

The exact cause of this issue is the function httpClose(con->http) being called in scheduler/client.c before |httpClose(con->http); cupsdLogClient(con, CUPSDLOGWARN, "IP lookup failed - connection from %s closed!", httpGetHostname(con->http, NULL, 0));|

The problem is that httpClose always, provided its argument is not null,frees the pointer at the end of the call, only for cupsdLogClient to 
pass the pointer to httpGetHostname.

Comment 3 Sandipan Roy 2023-06-22 11:06:45 UTC

Created cups tracking bugs for this issue:

Affects: fedora-37 [bug 2216717]
Affects: fedora-38 [bug 2216718]

Note You need to log in before you can comment on or make changes to this bug.