Description of problem: CVE-2009-3553 (bug #530111) has not been completely fixed. Version-Release number of selected component (if applicable): Versions known to be affected: cups-1.3.7-11.el5_4.5 (RHEL-5.4.z) cups-1.3.7-16.el5 (RHEL-5) Additional info: The cause is that the cupsdDoSelect() function uses one of several implementations depending on the underlying select/poll capabilities of the operating system. For kqueue and epoll implementations, cupsdRemoveSelect() does not immediately decrease the reference count for the file descriptor and instead adds it to the cupsd_inactive_fds array. File descriptors in that array are finally dereferenced in cupsdStopSelect() (i.e. program termination). In Red Hat Enterprise Linux, the epoll implementation is used. The previous fix for CVE-2009-3553 was to check that another reference was held for the file descriptor before calling the write_cb function; however, that will always be the case for both the epoll and kqueue implementations. The correct fix is to check whether the file descriptor is in the cupsd_inactive_fds array before calling the write_cb function.
Created attachment 386167 [details] cups-CVE-2009-3553-incomplete-fix.patch Attached is a patch for RHEL-5.4.z.
Small correction: file descriptions in the cupsd_inactive_fds array are finally dereferenced just before cupsdDoSelect() returns.
Hi Tim. Was this incorrect fix provided by upstream, or did we come up with the fix and neglect to deal with the kqueue and epoll implementations? In other words, is this a Red Hat-only issue, or do we need to alert other vendors and is upstream aware of the incomplete fix? We'll need to get a new CVE name for this, regardless. Thanks for the clarification.
It was my original patch (sorry), but Michael Sweet also missed the problem and committed it upstream for the not-yet-released 1.4.3 version. We did alert other vendors about CVE-2009-3553 originally, and my patch was proposed. Michael Sweet replied on that thread saying that was the patch that would be used to fix it, so very likely other vendors are using it as-is. Upstream is not yet aware of the incomplete fix.
I've assigned CVE-2010-0302 for this.
Tim, Can anyone been told of this yet? I'm not sure how upstream likes to handle security flaws. Some guidance would be appreciated. Thanks.
I'm not sure what the protocol is myself. I didn't want to tell anyone without the say-so of the SRT... If you're happy for me to report it upstream I can do that? (There is a mechanism for reporting private security bugs on cups.org.)
Let's start with upstream, once we have a final patch we can tell the vendors. Thanks.
Reported upstream.
The embargo has lifted.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0129 https://rhn.redhat.com/errata/RHSA-2010-0129.html
cups-1.4.2-26.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/cups-1.4.2-26.fc11
cups-1.4.2-28.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/cups-1.4.2-28.fc12
cups-1.4.2-34.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/cups-1.4.2-34.fc13
cups-1.4.2-34.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.4.2-28.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.4.2-26.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.