Whilst investigating a memory leak issue handling IPP browse requests (Bug #433825) we discovered that older versions of CUPS as shipped with Enterprise Linux 3 and 4 could end up derefencing free'd memory. A malicious user on the local subnet could send a set of carefully crafted IPP packets to the udp port in such a way as to cause CUPS to crash. This issue doesn't affect recent upstream versions of CUPS as shipped in Red Hat Enterprise Linux 5.
Lifting embargo.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0153.html http://rhn.redhat.com/errata/RHSA-2008-0161.html
Created attachment 312753 [details] Patch as used in Red Hat Enterprise Linux 4 CUPS packages based on upstream 1.1.22rc1