706673 – Cups config parsing segfault

Bug 706673 - Cups config parsing segfault

Summary: Cups config parsing segfault

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	cups
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tim Waugh
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	784240
TreeView+	depends on / blocked

Reported:	2011-05-22 08:56 UTC by Richard Marko
Modified:	2012-01-24 11:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:	cups-1.4.2-40.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	784240 (view as bug list)
Environment:
Last Closed:	2011-12-06 15:28:34 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Minimized input file (8 bytes, application/octet-stream) 2011-05-22 08:56 UTC, Richard Marko	no flags	Details
GDB short trace (297 bytes, text/plain) 2011-05-22 08:57 UTC, Richard Marko	no flags	Details
GDB full trace (11.32 KB, text/plain) 2011-05-22 08:57 UTC, Richard Marko	no flags	Details
Valgrind output (1.95 KB, text/plain) 2011-05-22 08:58 UTC, Richard Marko	no flags	Details
GDB short trace #2 (499 bytes, text/plain) 2011-05-22 09:45 UTC, Richard Marko	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
CUPS Bugs and Features	3861	0	None	None	None	Never
Red Hat Product Errata	RHSA-2011:1635	0	normal	SHIPPED_LIVE	Low: cups security and bug fix update	2011-12-06 00:50:41 UTC

Description Richard Marko 2011-05-22 08:56:25 UTC

Created attachment 500243 [details]
Minimized input file

Description of problem:
Cups crashing with segfault on attached config file.

Version-Release number of selected component (if applicable):
Version    : 1.4.2
Release    : 35.el6_0.1


How reproducible:
Always


Steps to Reproduce:
1. download attachment
2. run /usr/sbin/cupsd -f -c ./min

  
Actual results:
Segmentation fault


Expected results:
Proper error handling


Additional info:
Fault discovered by fuzzing the configuration file.

Comment 1 Richard Marko 2011-05-22 08:57:28 UTC

Created attachment 500244 [details]
GDB short trace

Comment 2 Richard Marko 2011-05-22 08:57:53 UTC

Created attachment 500245 [details]
GDB full trace

Comment 3 Richard Marko 2011-05-22 08:58:12 UTC

Created attachment 500246 [details]
Valgrind output

Comment 5 Richard Marko 2011-05-22 09:45:44 UTC

Created attachment 500250 [details]
GDB short trace #2

Similar error in parse_aaa function (parsing logic).
I will provide additional information if required.

Comment 8 Jiri Popelka 2011-06-15 09:51:29 UTC

Patch:
http://www.cups.org/strfiles/3861/str3861.patch

Comment 12 errata-xmlrpc 2011-12-06 15:28:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1635.html

Note You need to log in before you can comment on or make changes to this bug.