Bug 415131 (CVE-2007-5849) - CVE-2007-5849 CUPS SNMP backend buffer overflow
Summary: CVE-2007-5849 CUPS SNMP backend buffer overflow
Alias: CVE-2007-5849
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-12-07 01:15 UTC by Josh Bressers
Modified: 2021-11-12 19:46 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-01-09 12:57:46 UTC

Attachments (Terms of Use)
Correct supplied patch (935 bytes, patch)
2007-12-07 06:31 UTC, Mark J. Cox
no flags Details | Diff

Description Josh Bressers 2007-12-07 01:15:28 UTC
Wei Wang of McAfee AVERT Research discovered a buffer overflow flaw in the SNMP
backed of CUPS.  It may be possible for a remote attacker to send a specially
crafted SNMP packet that would allow for the execution of arbitrary code as the
cupsd user.

Comment 4 Josh Bressers 2007-12-07 01:22:36 UTC

In theory this should only affect FC and RHEL5.  Can you verify this does indeed
not affect RHEL[34].  I know the advisory claims it's 1.2.0+, but it's always
wise to check ourselves.

Comment 5 Mark J. Cox 2007-12-07 06:31:34 UTC
Created attachment 280721 [details]
Correct supplied patch

280361 was the wrong patch

Comment 6 Mark J. Cox 2007-12-07 06:33:37 UTC
according to opengrok the vulnerable code is only in cups in rhel5
it's probably caught by fortify_source too, needs investigation

Comment 8 Josh Bressers 2007-12-07 19:42:42 UTC
I don't believe this is a security issue.  If it is, it's likely a low severity
flaw.  This is partly due to CUPS being built with stack-protector support.

It's only possible to trigger this flaw when an administrator triggers an event
to launch the SNMP backend program.  This is a helper program which will not
affect cupsd if it misbehaves.

The flaw in question can be triggered by a malformed SNMP packet that will
trigger a stack overflow in the SNMP helper.  stack-protector will prevent this
exploit from causing anything but a crash in the SNMP helper, so the only
possible potential for exploitation here is preventing the administrator from
using the SNMP auto discovery feature of CUPS.

Comment 9 Tim Waugh 2007-12-10 15:48:36 UTC
I agree with Josh's analysis.

To confirm: the snmp backend is not present in RHEL releases earlier than 5, so
only 5 is vulnerable to this.  Since we build cups with stack-protector support
this is at worst a denial of service for the "discover remote SNMP printers"
functionality, which is an administrator-triggered event.

Comment 10 Mark J. Cox 2007-12-31 23:01:22 UTC
now public, opening bug

Comment 11 Tomas Hoger 2008-01-09 12:57:46 UTC
Issue was addressed in upstream version 1.3.5.

Fixed upstream version is already in Fedora rawhide and Fedora 8 testing repository.

Note You need to log in before you can comment on or make changes to this bug.