Wei Wang of McAfee AVERT Research discovered a buffer overflow flaw in the SNMP backed of CUPS. It may be possible for a remote attacker to send a specially crafted SNMP packet that would allow for the execution of arbitrary code as the cupsd user.
Tim, In theory this should only affect FC and RHEL5. Can you verify this does indeed not affect RHEL[34]. I know the advisory claims it's 1.2.0+, but it's always wise to check ourselves.
Created attachment 280721 [details] Correct supplied patch 280361 was the wrong patch
according to opengrok the vulnerable code is only in cups in rhel5 it's probably caught by fortify_source too, needs investigation
I don't believe this is a security issue. If it is, it's likely a low severity flaw. This is partly due to CUPS being built with stack-protector support. It's only possible to trigger this flaw when an administrator triggers an event to launch the SNMP backend program. This is a helper program which will not affect cupsd if it misbehaves. The flaw in question can be triggered by a malformed SNMP packet that will trigger a stack overflow in the SNMP helper. stack-protector will prevent this exploit from causing anything but a crash in the SNMP helper, so the only possible potential for exploitation here is preventing the administrator from using the SNMP auto discovery feature of CUPS.
I agree with Josh's analysis. To confirm: the snmp backend is not present in RHEL releases earlier than 5, so only 5 is vulnerable to this. Since we build cups with stack-protector support this is at worst a denial of service for the "discover remote SNMP printers" functionality, which is an administrator-triggered event.
now public, opening bug
Issue was addressed in upstream version 1.3.5. http://www.cups.org/articles.php?L519 Fixed upstream version is already in Fedora rawhide and Fedora 8 testing repository.