Bug 557775 - (CVE-2010-0302) CVE-2010-0302 cups Incomplete fix for CVE-2009-3553
CVE-2010-0302 cups Incomplete fix for CVE-2009-3553
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=redhat,public=...
: Security
Depends On: 557789 563326 563327
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-22 10:00 EST by Tim Waugh
Modified: 2015-08-19 04:43 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 557789 (view as bug list)
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
cups-CVE-2009-3553-incomplete-fix.patch (1.14 KB, patch)
2010-01-22 10:02 EST, Tim Waugh
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
CUPS Bugs and Features 3490 None None None Never

  None (edit)
Description Tim Waugh 2010-01-22 10:00:09 EST
Description of problem:
CVE-2009-3553 (bug #530111) has not been completely fixed.

Version-Release number of selected component (if applicable):
Versions known to be affected:

cups-1.3.7-11.el5_4.5 (RHEL-5.4.z)
cups-1.3.7-16.el5     (RHEL-5)

Additional info:
The cause is that the cupsdDoSelect() function uses one of several implementations depending on the underlying select/poll capabilities of the operating system.  For kqueue and epoll implementations, cupsdRemoveSelect() does not immediately decrease the reference count for the file descriptor and instead adds it to the cupsd_inactive_fds array.  File descriptors in that array are finally dereferenced in cupsdStopSelect() (i.e. program termination).

In Red Hat Enterprise Linux, the epoll implementation is used.

The previous fix for CVE-2009-3553 was to check that another reference was held for the file descriptor before calling the write_cb function; however, that will always be the case for both the epoll and kqueue implementations.

The correct fix is to check whether the file descriptor is in the cupsd_inactive_fds array before calling the write_cb function.
Comment 1 Tim Waugh 2010-01-22 10:02:50 EST
Created attachment 386167 [details]
cups-CVE-2009-3553-incomplete-fix.patch

Attached is a patch for RHEL-5.4.z.
Comment 2 Tim Waugh 2010-01-22 10:33:07 EST
Small correction: file descriptions in the cupsd_inactive_fds array are finally dereferenced just before cupsdDoSelect() returns.
Comment 3 Vincent Danen 2010-01-26 23:40:51 EST
Hi Tim.  Was this incorrect fix provided by upstream, or did we come up with the fix and neglect to deal with the kqueue and epoll implementations?  In other words, is this a Red Hat-only issue, or do we need to alert other vendors and is upstream aware of the incomplete fix?

We'll need to get a new CVE name for this, regardless.  Thanks for the clarification.
Comment 4 Tim Waugh 2010-01-27 04:28:46 EST
It was my original patch (sorry), but Michael Sweet also missed the problem and committed it upstream for the not-yet-released 1.4.3 version.

We did alert other vendors about CVE-2009-3553 originally, and my patch was proposed.  Michael Sweet replied on that thread saying that was the patch that would be used to fix it, so very likely other vendors are using it as-is.

Upstream is not yet aware of the incomplete fix.
Comment 5 Josh Bressers 2010-01-28 13:45:27 EST
I've assigned CVE-2010-0302 for this.
Comment 6 Josh Bressers 2010-02-02 15:05:40 EST
Tim,

Can anyone been told of this yet? I'm not sure how upstream likes to handle security flaws. Some guidance would be appreciated.

Thanks.
Comment 7 Tim Waugh 2010-02-03 06:21:12 EST
I'm not sure what the protocol is myself.  I didn't want to tell anyone without the say-so of the SRT...

If you're happy for me to report it upstream I can do that? (There is a mechanism for reporting private security bugs on cups.org.)
Comment 8 Josh Bressers 2010-02-03 09:55:08 EST
Let's start with upstream, once we have a final patch we can tell the vendors.

Thanks.
Comment 9 Tim Waugh 2010-02-03 11:09:32 EST
Reported upstream.
Comment 22 Vincent Danen 2010-03-03 12:31:14 EST
The embargo has lifted.
Comment 23 errata-xmlrpc 2010-03-03 12:40:08 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0129 https://rhn.redhat.com/errata/RHSA-2010-0129.html
Comment 24 Fedora Update System 2010-03-05 06:08:07 EST
cups-1.4.2-26.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cups-1.4.2-26.fc11
Comment 25 Fedora Update System 2010-03-05 06:30:14 EST
cups-1.4.2-28.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/cups-1.4.2-28.fc12
Comment 26 Fedora Update System 2010-03-05 06:39:05 EST
cups-1.4.2-34.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/cups-1.4.2-34.fc13
Comment 27 Fedora Update System 2010-03-11 08:24:33 EST
cups-1.4.2-34.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2010-03-11 23:20:17 EST
cups-1.4.2-28.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2010-03-12 21:28:53 EST
cups-1.4.2-26.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.