lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030120165858.Y14771@sco.com>
From: security at caldera.com (security@...dera.com)
Subject: Security Update: [CSSA-2003-004.0] Linux: Multiple Security Vulnerabilities in the Common Unix Printing System (CUPS)

To: bugtraq@...urityfocus.com announce@...ts.caldera.com security-alerts@...uxsecurity.com full-disclosure@...ts.netsys.com

______________________________________________________________________________

			SCO Security Advisory

Subject:		Linux: Multiple Security Vulnerabilities in the Common Unix Printing System (CUPS)
Advisory number: 	CSSA-2003-004.0
Issue date: 		2003 January 20
Cross reference:
______________________________________________________________________________


1. Problem Description

	Several vulnerabilities have been discovered in the CUPS printing
	system (these descriptions are from the associated CVE database
	entries):

	- Allows local users with lp privileges to create or overwrite
	arbitrary files via file race conditions.

	- Allows remote attackers to add printers without
	authentication via a certain UDP packet, that can then be used
	to perform unauthorized activities such as stealing the local
	root certificate for the administration server via a "need
	authorization" page.

	- Allows remote attackers to cause a denial of service (crash)
	and possibly execute arbitrary code by causing negative
	arguments to be fed into memcpy() calls via HTTP requests with
	(1) a negative Content-Length value or (2) a negative length
	in a chunked transfer encoding.

	- The obs.c module does not properly use the strncat function
	call when processing the options string, which allows remote
	attackers to execute arbitrary code via a buffer overflow
	attack.

	- The filters/image-gif.c module does not properly check for
	zero-length GIF images, which allows remote attackers to
	execute arbitrary code via modified chunk headers.

	- Does not properly check the return values of various file
	and socket operations, which could allow a remote attacker to
	cause a denial of service (resource exhaustion) by causing
	file descriptors to be assigned and not released.

	- Multiple integer overflows allow remote attackers to execute
	arbitrary code via (1) the CUPSd HTTP interface, and (2) the
	image handling code in CUPS filters.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to cups-1.1.10-6.i386.rpm
					prior to cups-client-1.1.10-6.i386.rpm
					prior to cups-devel-1.1.10-6.i386.rpm
					prior to cups-ppd-1.1.10-6.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to cups-1.1.10-6.i386.rpm
					prior to cups-client-1.1.10-6.i386.rpm
					prior to cups-devel-1.1.10-6.i386.rpm
					prior to cups-ppd-1.1.10-6.i386.rpm

	OpenLinux 3.1 Server		prior to cups-1.1.10-6.i386.rpm
					prior to cups-client-1.1.10-6.i386.rpm
					prior to cups-devel-1.1.10-6.i386.rpm
					prior to cups-ppd-1.1.10-6.i386.rpm

	OpenLinux 3.1 Workstation	prior to cups-1.1.10-6.i386.rpm
					prior to cups-client-1.1.10-6.i386.rpm
					prior to cups-devel-1.1.10-6.i386.rpm
					prior to cups-ppd-1.1.10-6.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-004.0/RPMS

	4.2 Packages

	c27cfc1dc18d8c4769c0f8247f9c9bf0	cups-1.1.10-6.i386.rpm
	0c9792f6a6127a2a0ac3196d230a9223	cups-client-1.1.10-6.i386.rpm
	7ead8e53873325ee5acb2626ecabf5d5	cups-devel-1.1.10-6.i386.rpm
	cb7b8838284549eb6b4bcb877d5db983	cups-ppd-1.1.10-6.i386.rpm

	4.3 Installation

	rpm -Fvh cups-1.1.10-6.i386.rpm
	rpm -Fvh cups-client-1.1.10-6.i386.rpm
	rpm -Fvh cups-devel-1.1.10-6.i386.rpm
	rpm -Fvh cups-ppd-1.1.10-6.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-004.0/SRPMS

	4.5 Source Packages

	d14af6c00379eace99f62c5df4dcf132	cups-1.1.10-6.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-004.0/RPMS

	5.2 Packages

	b1315ba0ae47bf95d2eccfed08e95cb0	cups-1.1.10-6.i386.rpm
	ca1ab491adccc5d416d6f2947f93c657	cups-client-1.1.10-6.i386.rpm
	5db4d1574eaf6b1cb2130fab341edef7	cups-devel-1.1.10-6.i386.rpm
	2580ab863d136281dde1b3ddf82f0d99	cups-ppd-1.1.10-6.i386.rpm

	5.3 Installation

	rpm -Fvh cups-1.1.10-6.i386.rpm
	rpm -Fvh cups-client-1.1.10-6.i386.rpm
	rpm -Fvh cups-devel-1.1.10-6.i386.rpm
	rpm -Fvh cups-ppd-1.1.10-6.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-004.0/SRPMS

	5.5 Source Packages

	c62a95b4664ea4fe5261521b5a79cdc9	cups-1.1.10-6.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-004.0/RPMS

	6.2 Packages

	dee367cd2ffc768b9981831702927a38	cups-1.1.10-6.i386.rpm
	620cde79e5c12f20841c3dfe2dea0d36	cups-client-1.1.10-6.i386.rpm
	84320c589e9d2129aa5b1fdb34d5d62f	cups-devel-1.1.10-6.i386.rpm
	c2eaa7a35f2dcfb03aa77908bd89ef97	cups-ppd-1.1.10-6.i386.rpm

	6.3 Installation

	rpm -Fvh cups-1.1.10-6.i386.rpm
	rpm -Fvh cups-client-1.1.10-6.i386.rpm
	rpm -Fvh cups-devel-1.1.10-6.i386.rpm
	rpm -Fvh cups-ppd-1.1.10-6.i386.rpm

	6.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-004.0/SRPMS

	6.5 Source Packages

	268370aa68837a6bd148d77e493e92ba	cups-1.1.10-6.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-004.0/RPMS

	7.2 Packages

	b547711da7b927555f6f8eabb088793f	cups-1.1.10-6.i386.rpm
	98564caad2ed3e31eb0051e55be13d9c	cups-client-1.1.10-6.i386.rpm
	20c1141acfe92617c7c1219a9bd6dbe9	cups-devel-1.1.10-6.i386.rpm
	512795d8b7c8b31f6f6a7cfbf405114d	cups-ppd-1.1.10-6.i386.rpm

	7.3 Installation

	rpm -Fvh cups-1.1.10-6.i386.rpm
	rpm -Fvh cups-client-1.1.10-6.i386.rpm
	rpm -Fvh cups-devel-1.1.10-6.i386.rpm
	rpm -Fvh cups-ppd-1.1.10-6.i386.rpm

	7.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-004.0/SRPMS

	7.5 Source Packages

	7a7c39f894ac48056702470082f9862a	cups-1.1.10-6.src.rpm


8. References

	Specific references for this advisory:

		http://www.idefense.com/advisory/12.19.02.txt
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1366
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1367
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1368
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1369
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1371
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1372
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1383

	SCO security resources:

		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr872573, fz526835,
	erg712180.


9. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


10. Acknowledgements

	zen-parse (zen-parse@....net) discovered and researched these
	vulnerabilities.

______________________________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 237 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030120/c7c4897e/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ