[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030120165858.Y14771@sco.com>
From: security at caldera.com (security@...dera.com)
Subject: Security Update: [CSSA-2003-004.0] Linux: Multiple Security Vulnerabilities in the Common Unix Printing System (CUPS)
To: bugtraq@...urityfocus.com announce@...ts.caldera.com security-alerts@...uxsecurity.com full-disclosure@...ts.netsys.com
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: Multiple Security Vulnerabilities in the Common Unix Printing System (CUPS)
Advisory number: CSSA-2003-004.0
Issue date: 2003 January 20
Cross reference:
______________________________________________________________________________
1. Problem Description
Several vulnerabilities have been discovered in the CUPS printing
system (these descriptions are from the associated CVE database
entries):
- Allows local users with lp privileges to create or overwrite
arbitrary files via file race conditions.
- Allows remote attackers to add printers without
authentication via a certain UDP packet, that can then be used
to perform unauthorized activities such as stealing the local
root certificate for the administration server via a "need
authorization" page.
- Allows remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code by causing negative
arguments to be fed into memcpy() calls via HTTP requests with
(1) a negative Content-Length value or (2) a negative length
in a chunked transfer encoding.
- The obs.c module does not properly use the strncat function
call when processing the options string, which allows remote
attackers to execute arbitrary code via a buffer overflow
attack.
- The filters/image-gif.c module does not properly check for
zero-length GIF images, which allows remote attackers to
execute arbitrary code via modified chunk headers.
- Does not properly check the return values of various file
and socket operations, which could allow a remote attacker to
cause a denial of service (resource exhaustion) by causing
file descriptors to be assigned and not released.
- Multiple integer overflows allow remote attackers to execute
arbitrary code via (1) the CUPSd HTTP interface, and (2) the
image handling code in CUPS filters.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to cups-1.1.10-6.i386.rpm
prior to cups-client-1.1.10-6.i386.rpm
prior to cups-devel-1.1.10-6.i386.rpm
prior to cups-ppd-1.1.10-6.i386.rpm
OpenLinux 3.1.1 Workstation prior to cups-1.1.10-6.i386.rpm
prior to cups-client-1.1.10-6.i386.rpm
prior to cups-devel-1.1.10-6.i386.rpm
prior to cups-ppd-1.1.10-6.i386.rpm
OpenLinux 3.1 Server prior to cups-1.1.10-6.i386.rpm
prior to cups-client-1.1.10-6.i386.rpm
prior to cups-devel-1.1.10-6.i386.rpm
prior to cups-ppd-1.1.10-6.i386.rpm
OpenLinux 3.1 Workstation prior to cups-1.1.10-6.i386.rpm
prior to cups-client-1.1.10-6.i386.rpm
prior to cups-devel-1.1.10-6.i386.rpm
prior to cups-ppd-1.1.10-6.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-004.0/RPMS
4.2 Packages
c27cfc1dc18d8c4769c0f8247f9c9bf0 cups-1.1.10-6.i386.rpm
0c9792f6a6127a2a0ac3196d230a9223 cups-client-1.1.10-6.i386.rpm
7ead8e53873325ee5acb2626ecabf5d5 cups-devel-1.1.10-6.i386.rpm
cb7b8838284549eb6b4bcb877d5db983 cups-ppd-1.1.10-6.i386.rpm
4.3 Installation
rpm -Fvh cups-1.1.10-6.i386.rpm
rpm -Fvh cups-client-1.1.10-6.i386.rpm
rpm -Fvh cups-devel-1.1.10-6.i386.rpm
rpm -Fvh cups-ppd-1.1.10-6.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-004.0/SRPMS
4.5 Source Packages
d14af6c00379eace99f62c5df4dcf132 cups-1.1.10-6.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-004.0/RPMS
5.2 Packages
b1315ba0ae47bf95d2eccfed08e95cb0 cups-1.1.10-6.i386.rpm
ca1ab491adccc5d416d6f2947f93c657 cups-client-1.1.10-6.i386.rpm
5db4d1574eaf6b1cb2130fab341edef7 cups-devel-1.1.10-6.i386.rpm
2580ab863d136281dde1b3ddf82f0d99 cups-ppd-1.1.10-6.i386.rpm
5.3 Installation
rpm -Fvh cups-1.1.10-6.i386.rpm
rpm -Fvh cups-client-1.1.10-6.i386.rpm
rpm -Fvh cups-devel-1.1.10-6.i386.rpm
rpm -Fvh cups-ppd-1.1.10-6.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-004.0/SRPMS
5.5 Source Packages
c62a95b4664ea4fe5261521b5a79cdc9 cups-1.1.10-6.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-004.0/RPMS
6.2 Packages
dee367cd2ffc768b9981831702927a38 cups-1.1.10-6.i386.rpm
620cde79e5c12f20841c3dfe2dea0d36 cups-client-1.1.10-6.i386.rpm
84320c589e9d2129aa5b1fdb34d5d62f cups-devel-1.1.10-6.i386.rpm
c2eaa7a35f2dcfb03aa77908bd89ef97 cups-ppd-1.1.10-6.i386.rpm
6.3 Installation
rpm -Fvh cups-1.1.10-6.i386.rpm
rpm -Fvh cups-client-1.1.10-6.i386.rpm
rpm -Fvh cups-devel-1.1.10-6.i386.rpm
rpm -Fvh cups-ppd-1.1.10-6.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-004.0/SRPMS
6.5 Source Packages
268370aa68837a6bd148d77e493e92ba cups-1.1.10-6.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-004.0/RPMS
7.2 Packages
b547711da7b927555f6f8eabb088793f cups-1.1.10-6.i386.rpm
98564caad2ed3e31eb0051e55be13d9c cups-client-1.1.10-6.i386.rpm
20c1141acfe92617c7c1219a9bd6dbe9 cups-devel-1.1.10-6.i386.rpm
512795d8b7c8b31f6f6a7cfbf405114d cups-ppd-1.1.10-6.i386.rpm
7.3 Installation
rpm -Fvh cups-1.1.10-6.i386.rpm
rpm -Fvh cups-client-1.1.10-6.i386.rpm
rpm -Fvh cups-devel-1.1.10-6.i386.rpm
rpm -Fvh cups-ppd-1.1.10-6.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-004.0/SRPMS
7.5 Source Packages
7a7c39f894ac48056702470082f9862a cups-1.1.10-6.src.rpm
8. References
Specific references for this advisory:
http://www.idefense.com/advisory/12.19.02.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1366
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1369
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1383
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr872573, fz526835,
erg712180.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
10. Acknowledgements
zen-parse (zen-parse@....net) discovered and researched these
vulnerabilities.
______________________________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 237 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030120/c7c4897e/attachment.bin
Powered by blists - more mailing lists