Red Hat Bugzilla – Bug 415131
CVE-2007-5849 CUPS SNMP backend buffer overflow
Last modified: 2008-01-09 07:57:46 EST
Wei Wang of McAfee AVERT Research discovered a buffer overflow flaw in the SNMP
backed of CUPS. It may be possible for a remote attacker to send a specially
crafted SNMP packet that would allow for the execution of arbitrary code as the
In theory this should only affect FC and RHEL5. Can you verify this does indeed
not affect RHEL. I know the advisory claims it's 1.2.0+, but it's always
wise to check ourselves.
Created attachment 280721 [details]
Correct supplied patch
280361 was the wrong patch
according to opengrok the vulnerable code is only in cups in rhel5
it's probably caught by fortify_source too, needs investigation
I don't believe this is a security issue. If it is, it's likely a low severity
flaw. This is partly due to CUPS being built with stack-protector support.
It's only possible to trigger this flaw when an administrator triggers an event
to launch the SNMP backend program. This is a helper program which will not
affect cupsd if it misbehaves.
The flaw in question can be triggered by a malformed SNMP packet that will
trigger a stack overflow in the SNMP helper. stack-protector will prevent this
exploit from causing anything but a crash in the SNMP helper, so the only
possible potential for exploitation here is preventing the administrator from
using the SNMP auto discovery feature of CUPS.
I agree with Josh's analysis.
To confirm: the snmp backend is not present in RHEL releases earlier than 5, so
only 5 is vulnerable to this. Since we build cups with stack-protector support
this is at worst a denial of service for the "discover remote SNMP printers"
functionality, which is an administrator-triggered event.
now public, opening bug
Issue was addressed in upstream version 1.3.5.
Fixed upstream version is already in Fedora rawhide and Fedora 8 testing repository.