Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Conectiva :: bt697.txt

cups CLA-2003:702

Hash: SHA1

- --------------------------------------------------------------------------
- --------------------------------------------------------------------------

PACKAGE   : cups
SUMMARY   : Several vulnerabilities
DATE      : 2003-07-22 16:08:00
ID        : CLA-2003:702
RELEASES  : 7.0, 8, 9

- -------------------------------------------------------------------------

 Cups[1] (Common UNIX Printing System) is an open-source, freely
 available and cross-platform printing solution for UNIX
 iDefense published[2][3] some time ago several vulnerabilities in
 Cups researched by zen-parse which are being addressed now.
 Additionally, a new denial of service vulnerability[12] was
 discovered by Phil D'Amore of Red Hat and is also being fixed.
 The vulnerabilities outlined below affect only Conectiva Linux 7.0
 and 8 (CL9 is not affected):
 1. pdftops integer overflow (CAN-2002-1384)[3][4]
 The pdftops filter used in Cups contains an integer overflow which
 can be exploited to run arbitrary commands with the privileges of the
 target user.
 2. Multiple integer overflows (CAN-2002-1383)[5]
 There are several integer overflows in Cups which can be exploited
 via the http interface and via carefully created images which get
 handled by Cups. These vulnerabilities can be exploited to run
 arbitrary code.
 3. Race condition (CAN-2002-1366)[6]
 A race condition exists in the creation of /etc/cups/certs/<pid>.
 This allows a local attacker to create or overwrite any file as root
 as long as he/she already has 'lp' privileges (which could be
 obtained via one of the previous vulnerabilities, for example).
 4. Arbitrary printer creation and Root Certificate Design Flaw
 Remote users can add arbitrary printers to Cups by sending a
 specially crafted UDP packet. Attackers can use this to add printers
 with tainted names that, when clicked on in the web administration
 page, could be used to exploit other vulnerabilities.
 5. Negative Length Memcpy() Calls (CAN-2002-1368)[8]
 Negative length memcpy() calls in the code which handles chunked
 transfer encodings and content length in the http interface could be
 used by remote attackers to cause a denial of service condition and
 possibly execute arbitrary code.
 6. Unsafe Strncat Function Call in jobs.c (CAN-2002-1369)[9]
 There is a buffer overflow vulnerability in the code used to handle
 job options which, in conjuntion with other vulnerabilities, could be
 used to obtain root privileges.
 7. Zero Width Images in filters/image-gif.c (CAN-2002-1371)[10]
 Cups does not properly check for zero-length GIF images, which allows
 remote attackers to execute arbitrary code.
 8. File Descriptor Resource Leaks (CAN-2002-1372)[11]
 Cups does not properly check the return values of various file and
 socket operations, which could allow a remote attacker to cause a
 denial of service condition by causing file descriptors to be
 assigned and not released.
 The vulnerability below affects Conectiva Linux 7.0, 8 and 9:
 9. Denial of service vulnerability (CAN-2003-0195)[12]
 Phil D'Amore discovered that by sending a partial printing request to
 the IPP port, remote attackers can cause a denial of service
 condition, since the request does not time out. Simple commands such
 as "lpq" stop working as long as the attacker holds the connection
 with the partial printing request open.
 Additionally, two other fixes which are not security related have
 been included in Conectiva Linux 7.0 and 8:
 1. Reconnect problem with some HP jetdirect printers;
 2. Octetstream has been enabled by default, which allows some
 printing jobs to be submitted such as those by Windows XP via samba.

 It is recommended that all cups users upgrade their packages.
 IMPORTANT: after the upgrade, it is necessary to restart the cups
 service if it was already running. To do so, execute the following
 command as root:
 /sbin/service cups restart


 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
Instructions on how to check the signatures of the RPM packages can be
found at

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.

- -------------------------------------------------------------------------
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH