Bug 557775 (CVE-2010-0302) - CVE-2010-0302 cups Incomplete fix for CVE-2009-3553
Summary: CVE-2010-0302 cups Incomplete fix for CVE-2009-3553
Alias: CVE-2010-0302
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 557789 563326 563327
TreeView+ depends on / blocked
Reported: 2010-01-22 15:00 UTC by Tim Waugh
Modified: 2021-10-19 09:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 557789 (view as bug list)
Last Closed: 2021-10-19 09:10:21 UTC

Attachments (Terms of Use)
cups-CVE-2009-3553-incomplete-fix.patch (1.14 KB, patch)
2010-01-22 15:02 UTC, Tim Waugh
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
CUPS Bugs and Features 3490 0 None None None Never
Red Hat Product Errata RHSA-2010:0129 0 normal SHIPPED_LIVE Moderate: cups security update 2010-03-03 17:40:04 UTC

Description Tim Waugh 2010-01-22 15:00:09 UTC
Description of problem:
CVE-2009-3553 (bug #530111) has not been completely fixed.

Version-Release number of selected component (if applicable):
Versions known to be affected:

cups-1.3.7-11.el5_4.5 (RHEL-5.4.z)
cups-1.3.7-16.el5     (RHEL-5)

Additional info:
The cause is that the cupsdDoSelect() function uses one of several implementations depending on the underlying select/poll capabilities of the operating system.  For kqueue and epoll implementations, cupsdRemoveSelect() does not immediately decrease the reference count for the file descriptor and instead adds it to the cupsd_inactive_fds array.  File descriptors in that array are finally dereferenced in cupsdStopSelect() (i.e. program termination).

In Red Hat Enterprise Linux, the epoll implementation is used.

The previous fix for CVE-2009-3553 was to check that another reference was held for the file descriptor before calling the write_cb function; however, that will always be the case for both the epoll and kqueue implementations.

The correct fix is to check whether the file descriptor is in the cupsd_inactive_fds array before calling the write_cb function.

Comment 1 Tim Waugh 2010-01-22 15:02:50 UTC
Created attachment 386167 [details]

Attached is a patch for RHEL-5.4.z.

Comment 2 Tim Waugh 2010-01-22 15:33:07 UTC
Small correction: file descriptions in the cupsd_inactive_fds array are finally dereferenced just before cupsdDoSelect() returns.

Comment 3 Vincent Danen 2010-01-27 04:40:51 UTC
Hi Tim.  Was this incorrect fix provided by upstream, or did we come up with the fix and neglect to deal with the kqueue and epoll implementations?  In other words, is this a Red Hat-only issue, or do we need to alert other vendors and is upstream aware of the incomplete fix?

We'll need to get a new CVE name for this, regardless.  Thanks for the clarification.

Comment 4 Tim Waugh 2010-01-27 09:28:46 UTC
It was my original patch (sorry), but Michael Sweet also missed the problem and committed it upstream for the not-yet-released 1.4.3 version.

We did alert other vendors about CVE-2009-3553 originally, and my patch was proposed.  Michael Sweet replied on that thread saying that was the patch that would be used to fix it, so very likely other vendors are using it as-is.

Upstream is not yet aware of the incomplete fix.

Comment 5 Josh Bressers 2010-01-28 18:45:27 UTC
I've assigned CVE-2010-0302 for this.

Comment 6 Josh Bressers 2010-02-02 20:05:40 UTC

Can anyone been told of this yet? I'm not sure how upstream likes to handle security flaws. Some guidance would be appreciated.


Comment 7 Tim Waugh 2010-02-03 11:21:12 UTC
I'm not sure what the protocol is myself.  I didn't want to tell anyone without the say-so of the SRT...

If you're happy for me to report it upstream I can do that? (There is a mechanism for reporting private security bugs on cups.org.)

Comment 8 Josh Bressers 2010-02-03 14:55:08 UTC
Let's start with upstream, once we have a final patch we can tell the vendors.


Comment 9 Tim Waugh 2010-02-03 16:09:32 UTC
Reported upstream.

Comment 22 Vincent Danen 2010-03-03 17:31:14 UTC
The embargo has lifted.

Comment 23 errata-xmlrpc 2010-03-03 17:40:08 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0129 https://rhn.redhat.com/errata/RHSA-2010-0129.html

Comment 24 Fedora Update System 2010-03-05 11:08:07 UTC
cups-1.4.2-26.fc11 has been submitted as an update for Fedora 11.

Comment 25 Fedora Update System 2010-03-05 11:30:14 UTC
cups-1.4.2-28.fc12 has been submitted as an update for Fedora 12.

Comment 26 Fedora Update System 2010-03-05 11:39:05 UTC
cups-1.4.2-34.fc13 has been submitted as an update for Fedora 13.

Comment 27 Fedora Update System 2010-03-11 13:24:33 UTC
cups-1.4.2-34.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2010-03-12 04:20:17 UTC
cups-1.4.2-28.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2010-03-13 02:28:53 UTC
cups-1.4.2-26.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.