Your message dated Sun, 23 Dec 2007 03:02:03 +0000 with message-id <E1J6H6J-0003jd-RB@ries.debian.org> and subject line Bug#457453: fixed in cupsys 1.3.5-1 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: cupsys: CVE-2007-5849 stack-based buffer overflow leading to code execution in SNMP back-end
- From: Nico Golde <nion@debian.org>
- Date: Sat, 22 Dec 2007 15:29:27 +0100
- Message-id: <[🔎] 20071222142927.GA31214@ngolde.de>
Package: cupsys Version: 1.2.7-4etch1 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for cupsys. CVE-2007-5849[0]: | Integer underflow in the asn1_get_string function in the SNMP back end | for CUPS allows remote attackers to execute arbitrary code via a | crafted SNMP response that triggers a stack-based buffer overflow. I attached a patch which fixes this problem. Sarge is not affected by this as the SNMP backend was introduced later. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5849 Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.diff -Naur cups-1.3.4/backend/snmp.c cups-1.3.4.new/backend/snmp.c --- cups-1.3.4/backend/snmp.c 2007-07-11 23:46:42.000000000 +0200 +++ cups-1.3.4.new/backend/snmp.c 2007-12-10 12:56:12.680574919 +0100 @@ -1064,18 +1064,38 @@ char *string, /* I - String buffer */ int strsize) /* I - String buffer size */ { - if (length < strsize) + if (length < 0) { - memcpy(string, *buffer, length); + /* + * Disallow negative lengths! + */ + + fprintf(stderr, "ERROR: Bad ASN1 string length %d!\n", length); + *string = '\0'; + } + else if (length < strsize) + { + /* + * String is smaller than the buffer... + */ + + if (length > 0) + memcpy(string, *buffer, length); + string[length] = '\0'; } else { + /* + * String is larger than the buffer... + */ + memcpy(string, buffer, strsize - 1); string[strsize - 1] = '\0'; } - (*buffer) += length; + if (length > 0) + (*buffer) += length; return (string); }Attachment: pgp0Bjh79xLSq.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 457453-close@bugs.debian.org
- Subject: Bug#457453: fixed in cupsys 1.3.5-1
- From: Kenshi Muto <kmuto@debian.org>
- Date: Sun, 23 Dec 2007 03:02:03 +0000
- Message-id: <E1J6H6J-0003jd-RB@ries.debian.org>
Source: cupsys Source-Version: 1.3.5-1 We believe that the bug you reported is fixed in the latest version of cupsys, which is due to be installed in the Debian FTP archive: cupsys-bsd_1.3.5-1_amd64.deb to pool/main/c/cupsys/cupsys-bsd_1.3.5-1_amd64.deb cupsys-client_1.3.5-1_amd64.deb to pool/main/c/cupsys/cupsys-client_1.3.5-1_amd64.deb cupsys-common_1.3.5-1_all.deb to pool/main/c/cupsys/cupsys-common_1.3.5-1_all.deb cupsys-dbg_1.3.5-1_amd64.deb to pool/main/c/cupsys/cupsys-dbg_1.3.5-1_amd64.deb cupsys_1.3.5-1.diff.gz to pool/main/c/cupsys/cupsys_1.3.5-1.diff.gz cupsys_1.3.5-1.dsc to pool/main/c/cupsys/cupsys_1.3.5-1.dsc cupsys_1.3.5-1_amd64.deb to pool/main/c/cupsys/cupsys_1.3.5-1_amd64.deb cupsys_1.3.5.orig.tar.gz to pool/main/c/cupsys/cupsys_1.3.5.orig.tar.gz libcupsimage2-dev_1.3.5-1_amd64.deb to pool/main/c/cupsys/libcupsimage2-dev_1.3.5-1_amd64.deb libcupsimage2_1.3.5-1_amd64.deb to pool/main/c/cupsys/libcupsimage2_1.3.5-1_amd64.deb libcupsys2-dev_1.3.5-1_amd64.deb to pool/main/c/cupsys/libcupsys2-dev_1.3.5-1_amd64.deb libcupsys2_1.3.5-1_amd64.deb to pool/main/c/cupsys/libcupsys2_1.3.5-1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 457453@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Kenshi Muto <kmuto@debian.org> (supplier of updated cupsys package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wed, 19 Dec 2007 17:07:05 +0900 Source: cupsys Binary: libcupsys2-dev cupsys libcupsys2 libcupsimage2 cupsys-common cupsys-client cupsys-dbg cupsys-bsd libcupsimage2-dev Architecture: source amd64 all Version: 1.3.5-1 Distribution: unstable Urgency: high Maintainer: Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org> Changed-By: Kenshi Muto <kmuto@debian.org> Description: cupsys - Common UNIX Printing System(tm) - server cupsys-bsd - Common UNIX Printing System(tm) - BSD commands cupsys-client - Common UNIX Printing System(tm) - client programs (SysV) cupsys-common - Common UNIX Printing System(tm) - common files cupsys-dbg - Common UNIX Printing System(tm) - debugging symbols libcupsimage2 - Common UNIX Printing System(tm) - image libs libcupsimage2-dev - Common UNIX Printing System(tm) - image development files libcupsys2 - Common UNIX Printing System(tm) - libs libcupsys2-dev - Common UNIX Printing System(tm) - development files Closes: 456960 457453 Changes: cupsys (1.3.5-1) unstable; urgency=high . [ Kenshi Muto] * New upstream release - cups-stops-broadcasting-on-HUP-with-explicit-BrowseAddress patch is merged. - Fix that SNMP backend did not check for negative string lengths. (CVE-2007-5849, closes: #457453). * Update pdftops.pl to 1.20. It fixes overwriting arbitary files via symlink attack. (CVE-2007-6358, closes: #456960) . [ Till Kamppeter ] * debian/patches/fix_regression_reactivate_net_ifaces_changes_detection.dpatch : Fix a regression in upstream code that has removed the network interface update poll (CUPS STR #2631, LP: #177075). Thanks to Hugues Fournier (hugues dot fournier at gmail dot com) for the patch. Files: 34ab1da2ab94b95ebdb75c6724575a89 1178 net optional cupsys_1.3.5-1.dsc 7ceefb2be5e7c88fb243f587928251c1 4866646 net optional cupsys_1.3.5.orig.tar.gz 4be5c1a0e97ecd01ded0df65a8759588 108040 net optional cupsys_1.3.5-1.diff.gz 0726baffe8ed70d54bf06628f05241bb 1122672 net optional cupsys-common_1.3.5-1_all.deb 039e94a80c0d3088dac65440c053c307 167480 libs optional libcupsys2_1.3.5-1_amd64.deb 49f0732c95b805ebe5565fba82e0267d 88714 libs optional libcupsimage2_1.3.5-1_amd64.deb 98489f3cd0a5f888c406d78f7cba830c 2095728 net optional cupsys_1.3.5-1_amd64.deb d4a4f0d523d8c422e6632241fa5be97b 88306 net optional cupsys-client_1.3.5-1_amd64.deb 3429f845eeedc4233031f82a18f964d7 148854 libdevel optional libcupsys2-dev_1.3.5-1_amd64.deb 7e8ecd59e0fa01e34a0032341e97ae35 59126 libdevel optional libcupsimage2-dev_1.3.5-1_amd64.deb a604f726aa3aae6bcd82b2c604d86f5d 37158 net extra cupsys-bsd_1.3.5-1_amd64.deb 83c2f6120aa460c234191ecd1515e514 1123550 libdevel extra cupsys-dbg_1.3.5-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iEYEARECAAYFAkdty0AACgkQQKW+7XLQPLF7dACfVnnMGg4ZPIa4f+Z1O6gtDcCe YM0AoIK1SLqt+Juu9kPTq3fsrlqi+S8/ =zyHV -----END PGP SIGNATURE-----
--- End Message ---