Bug 1561296 (CVE-2017-18248) - CVE-2017-18248 cups: Invalid usernames handled in scheduler/ipp.c:add_job() allow remote attackers to cause a denial of service
Summary: CVE-2017-18248 cups: Invalid usernames handled in scheduler/ipp.c:add_job() a...
Status: NEW
Alias: CVE-2017-18248
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20171016,reported=2...
Keywords: Security
Depends On: 1561297 1561298 1567005
Blocks: 1561300
TreeView+ depends on / blocked
 
Reported: 2018-03-28 04:29 UTC by Sam Fowler
Modified: 2019-05-16 08:14 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Sam Fowler 2018-03-28 04:29:06 UTC
CUPS before version 2.2.6 has a vulnerability in the handling of usernames in the scheduler/ipp.c:add_job() function. A remote attacker could exploit this by submitting a print job with an invalid UTF-8 username to cause a crash and subsequent denial of service.


External References:

https://security.cucumberlinux.com/security/details.php?id=346


Upstream Issue:

https://github.com/apple/cups/issues/5143


Upstream Patch:

https://github.com/apple/cups/commit/49fa4983f25b64ec29d548ffa3b9782426007df3

Comment 1 Sam Fowler 2018-03-28 04:29:32 UTC
Created cups tracking bugs for this issue:

Affects: fedora-all [bug 1561298]

Comment 3 Stefan Cornelius 2018-04-05 07:58:56 UTC
I've tried to reproduce this, but so far I don't get the crash. I presume that this is because we don't have asserts enabled in our dbus. The only problem is that even when using a custom dbus with asserts enabled, I still don't see a crash.

Comment 4 Stefan Cornelius 2018-04-05 11:38:40 UTC
In reply to comment 3:
> I've tried to reproduce this, but so far I don't get the crash. I presume
> that this is because we don't have asserts enabled in our dbus. The only
> problem is that even when using a custom dbus with asserts enabled, I still
> don't see a crash.

I do get a crash now, my testing was flawed. Unfortunately, the upstream patch requires 1.7 API in order to have the attribute validation functions, which we don't have in RHEL7.

It's also worth noting that the original issues caused quite a few additional upstream changes, for example https://github.com/apple/cups/issues/5186 https://github.com/apple/cups/issues/5229. Maybe we can use a method similar to the cups-dbus-utf8.patch for bug 863387, but more generalized.


Note You need to log in before you can comment on or make changes to this bug.