Executive Summary
Summary | |
---|---|
Title | CUPS buffer overflow vulnerability |
Informations | |||
---|---|---|---|
Name | VU#446897 | First vendor Publication | 2007-11-01 |
Vendor | VU-CERT | Last vendor Modification | 2007-12-18 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#446897CUPS buffer overflow vulnerabilityOverviewThe Common Unix Printing System contains a buffer overflow vulnerability. This vulnerability may allow a remote attacker to execute arbitrary code.I. DescriptionThe Common Unix Printing System (CUPS) is a printing service used by many Linux and Unix operating systems. CUPS uses a print scheduling process that dispatches print jobs and provides the printer's status to local and remote programs.The Internet Printing Protocol (IPP) is a standard protocol that defines printing and managing print ques. As specified in RFC 2910, the IPP transport layer consists of an HTTP/1.1 request or response. Section 3.5 of RFC 2910 specifies two different types of tags that can either delimit sections of protocols (delimiter tags) or specify the type of each attribute value (value tags). textWithLanguage tags are defined in section 4.1.1.2 and nameWithLanguage is defined in section 4.1.2.2.
The vulnerability is caused due to a boundary error within the "ippReadIO()" function in cups/ipp.c when processing IPP (Internet Printing Protocol) tags. This can be exploited to overwrite one byte on the stack with a zero by sending an IPP request containing specially crafted "textWithLanguage" or "nameWithLanguage" tags. Successful exploitation allows execution of arbitrary code. II. ImpactA remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user running the CUPS server or cause the server to crash. The cupsd daemon may run with root privileges.III. SolutionAdministrators and users should see the systems affected portion of this document for a partial list of affected vendors. Users who compile CUPS from source should see CUPS Article #508: Common UNIX Printing System 1.3.4 for information about obtaining fixed software.
References
This vulnerability was published in Secunia Advisory 2007-76. This document was written by Ryan Giobbi.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/446897 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10604 | |||
Oval ID: | oval:org.mitre.oval:def:10604 | ||
Title: | Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted (1) textWithLanguage or (2) nameWithLanguage Internet Printing Protocol (IPP) tag, leading to a stack-based buffer overflow. | ||
Description: | Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted (1) textWithLanguage or (2) nameWithLanguage Internet Printing Protocol (IPP) tag, leading to a stack-based buffer overflow. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-4351 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17451 | |||
Oval ID: | oval:org.mitre.oval:def:17451 | ||
Title: | USN-539-1 -- cupsys vulnerability | ||
Description: | Alin Rad Pop discovered that CUPS did not correctly validate buffer lengths when processing IPP tags. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-539-1 CVE-2007-4351 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 | Product(s): | cupsys |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18743 | |||
Oval ID: | oval:org.mitre.oval:def:18743 | ||
Title: | DSA-1407-1 cupsys - buffer overflow with arbitrary code execution | ||
Description: | Alin Rad Pop discovered that the Common UNIX Printing System is vulnerable to an off-by-one buffer overflow in the code to process IPP packets, which may lead to the execution of arbitrary code. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1407-1 CVE-2007-4351 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | cupsys |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22661 | |||
Oval ID: | oval:org.mitre.oval:def:22661 | ||
Title: | ELSA-2007:1020: cups security and bug fix update (Important) | ||
Description: | Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted (1) textWithLanguage or (2) nameWithLanguage Internet Printing Protocol (IPP) tag, leading to a stack-based buffer overflow. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:1020-01 CVE-2007-4351 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | cups |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 4 |
OpenVAS Exploits
Date | Description |
---|---|
2010-05-12 | Name : Mac OS X Security Update 2007-009 File : nvt/macosx_secupd_2007-009.nasl |
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-04-09 | Name : Mandriva Update for cups MDKSA-2007:204-1 (cups) File : nvt/gb_mandriva_MDKSA_2007_204_1.nasl |
2009-04-09 | Name : Mandriva Update for cups MDKSA-2007:204 (cups) File : nvt/gb_mandriva_MDKSA_2007_204.nasl |
2009-03-23 | Name : Ubuntu Update for cupsys vulnerability USN-539-1 File : nvt/gb_ubuntu_USN_539_1.nasl |
2009-02-27 | Name : Fedora Update for cups FEDORA-2007-2715 File : nvt/gb_fedora_2007_2715_cups_fc7.nasl |
2009-02-27 | Name : Fedora Update for cups FEDORA-2007-2982 File : nvt/gb_fedora_2007_2982_cups_fc8.nasl |
2009-02-27 | Name : Fedora Update for cups FEDORA-2007-3100 File : nvt/gb_fedora_2007_3100_cups_fc7.nasl |
2009-02-27 | Name : Fedora Update for cups FEDORA-2007-740 File : nvt/gb_fedora_2007_740_cups_fc6.nasl |
2009-02-17 | Name : Fedora Update for cups FEDORA-2008-3449 File : nvt/gb_fedora_2008_3449_cups_fc7.nasl |
2009-02-16 | Name : Fedora Update for cups FEDORA-2008-2897 File : nvt/gb_fedora_2008_2897_cups_fc7.nasl |
2009-02-16 | Name : Fedora Update for cups FEDORA-2008-1976 File : nvt/gb_fedora_2008_1976_cups_fc7.nasl |
2009-01-28 | Name : SuSE Update for cups SUSE-SA:2007:058 File : nvt/gb_suse_2007_058.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200711-16 (cups) File : nvt/glsa_200711_16.nasl |
2008-09-04 | Name : FreeBSD Ports: cups-base File : nvt/freebsd_cups-base4.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1407-1 (cupsys) File : nvt/deb_1407_1.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2007-305-01 cups File : nvt/esoft_slk_ssa_2007_305_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
42028 | CUPS cups/ipp.c ippReadIO Function IPP Tag Handling Overflow |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-1023.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-1022.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-1020.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071107_cups_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071031_cups_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-1020.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-1022.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-1023.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1022.nasl - Type : ACT_GATHER_INFO |
2008-05-11 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3449.nasl - Type : ACT_GATHER_INFO |
2007-12-18 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2007-009.nasl - Type : ACT_GATHER_INFO |
2007-11-20 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1407.nasl - Type : ACT_GATHER_INFO |
2007-11-14 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200711-16.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-539-1.nasl - Type : ACT_GATHER_INFO |
2007-11-09 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_8dd9722c8e9711dcb8f6001c2514716c.nasl - Type : ACT_GATHER_INFO |
2007-11-08 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2982.nasl - Type : ACT_GATHER_INFO |
2007-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1023.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2715.nasl - Type : ACT_GATHER_INFO |
2007-11-02 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2007-305-01.nasl - Type : ACT_GATHER_INFO |
2007-11-02 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-204.nasl - Type : ACT_GATHER_INFO |
2007-11-02 | Name : The remote printer service is prone to a buffer overflow attack. File : cups_ipp_tag_overflow.nasl - Type : ACT_GATHER_INFO |
2007-11-01 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1020.nasl - Type : ACT_GATHER_INFO |
2007-11-01 | Name : The remote openSUSE host is missing a security update. File : suse_cups-4598.nasl - Type : ACT_GATHER_INFO |