An use-after-free flaw was found in the way CUPS handled references in its file descriptors handling interface. A remote attacker could, in a specially-crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). Upstream bug report: ------------------- http://www.cups.org/str.php?L3200 (currently inaccessible) Reproducer from upstream STR#3200 issue: ---------------------------------------- 1. produce 300 active jobs on the CUPS server. 2. extract client.zip to any directory 3. execute: java -cp "cups-java-client-1.3.jar";. TestCupsGetJobs 10.236.33.136 (replace 10.236.33.136 with your server address)
This issue does NOT affect the versions of cups package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue affects the versions of the cups package, as shipped with Red Hat Enterprise Linux 5.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1595 https://rhn.redhat.com/errata/RHSA-2009-1595.html
cups-1.4.2-7.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.4.2-7.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.3.11-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/cups-1.3.11-4.fc10
cups-1.3.11-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.