An unitialized memory read issue exists in the CUPS web interface in how it handles form variables. An attacker with access to the CUPS web interface could possibly read a limited amount of memory from the cupsd process. In cgi-bin/var.c, when processing form variables that can come from an unauthenticated user, the cgi_initialize_string() function expects a 2-character hex code after the % character. If the last character of data is the % character, then it will append a mangled version of the nul terminator and one more byte following the end of data to the output. The loop will continue appending the contents of memory past the end of data to the output, until another nul byte is read. A GET request will disclose memory from the environment variable list, and a POST request will disclose memory from the heap.
Upstream CUPS 1.4.4 has corrected this flaw.
Red Hat would like to thank the Apple Product Security team for responsibly reporting this flaw. Upstream acknowledges Luca Carettoni as the original reporter.
Created attachment 413803 [details]
proposed upstream patch
This is public now via http://support.apple.com/kb/HT4188
Created cups tracking bugs for this issue
Affects: fedora-all [bug 605399]
This issue has been addressed in following products:
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2010:0490 https://rhn.redhat.com/errata/RHSA-2010-0490.html
cups-1.4.4-1.fc13 has been submitted as an update for Fedora 13.
cups-1.4.4-1.fc12 has been submitted as an update for Fedora 12.
cups-1.4.4-1.fc11 has been submitted as an update for Fedora 11.
cups-1.4.4-4.fc13 has been submitted as an update for Fedora 13.
cups-1.4.4-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.4.4-5.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.4.4-5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.