Bug 415131 - (CVE-2007-5849) CVE-2007-5849 CUPS SNMP backend buffer overflow
CVE-2007-5849 CUPS SNMP backend buffer overflow
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=none,source=vendorsec,reported...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-06 20:15 EST by Josh Bressers
Modified: 2008-01-09 07:57 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-09 07:57:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Correct supplied patch (935 bytes, patch)
2007-12-07 01:31 EST, Mark J. Cox (Product Security)
no flags Details | Diff

  None (edit)
Description Josh Bressers 2007-12-06 20:15:28 EST
Wei Wang of McAfee AVERT Research discovered a buffer overflow flaw in the SNMP
backed of CUPS.  It may be possible for a remote attacker to send a specially
crafted SNMP packet that would allow for the execution of arbitrary code as the
cupsd user.
Comment 4 Josh Bressers 2007-12-06 20:22:36 EST
Tim,

In theory this should only affect FC and RHEL5.  Can you verify this does indeed
not affect RHEL[34].  I know the advisory claims it's 1.2.0+, but it's always
wise to check ourselves.
Comment 5 Mark J. Cox (Product Security) 2007-12-07 01:31:34 EST
Created attachment 280721 [details]
Correct supplied patch

280361 was the wrong patch
Comment 6 Mark J. Cox (Product Security) 2007-12-07 01:33:37 EST
according to opengrok the vulnerable code is only in cups in rhel5
it's probably caught by fortify_source too, needs investigation
Comment 8 Josh Bressers 2007-12-07 14:42:42 EST
I don't believe this is a security issue.  If it is, it's likely a low severity
flaw.  This is partly due to CUPS being built with stack-protector support.

It's only possible to trigger this flaw when an administrator triggers an event
to launch the SNMP backend program.  This is a helper program which will not
affect cupsd if it misbehaves.

The flaw in question can be triggered by a malformed SNMP packet that will
trigger a stack overflow in the SNMP helper.  stack-protector will prevent this
exploit from causing anything but a crash in the SNMP helper, so the only
possible potential for exploitation here is preventing the administrator from
using the SNMP auto discovery feature of CUPS.
Comment 9 Tim Waugh 2007-12-10 10:48:36 EST
I agree with Josh's analysis.

To confirm: the snmp backend is not present in RHEL releases earlier than 5, so
only 5 is vulnerable to this.  Since we build cups with stack-protector support
this is at worst a denial of service for the "discover remote SNMP printers"
functionality, which is an administrator-triggered event.
Comment 10 Mark J. Cox (Product Security) 2007-12-31 18:01:22 EST
now public, opening bug
Comment 11 Tomas Hoger 2008-01-09 07:57:46 EST
Issue was addressed in upstream version 1.3.5.
  http://www.cups.org/articles.php?L519

Fixed upstream version is already in Fedora rawhide and Fedora 8 testing repository.

Note You need to log in before you can comment on or make changes to this bug.