Bug#457453: marked as done (cupsys: CVE-2007-5849 stack-based buffer overflow leading to code execution in SNMP back-end)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 23 Dec 2007 03:02:03 +0000
with message-id <E1J6H6J-0003jd-RB@ries.debian.org>
and subject line Bug#457453: fixed in cupsys 1.3.5-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: cupsys: CVE-2007-5849 stack-based buffer overflow leading to code execution in SNMP back-end
• From: Nico Golde <nion@debian.org>
• Date: Sat, 22 Dec 2007 15:29:27 +0100
• Message-id: <[🔎] 20071222142927.GA31214@ngolde.de>

Package: cupsys
Version: 1.2.7-4etch1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cupsys.

CVE-2007-5849[0]:
| Integer underflow in the asn1_get_string function in the SNMP back end
| for CUPS allows remote attackers to execute arbitrary code via a
| crafted SNMP response that triggers a stack-based buffer overflow.

I attached a patch which fixes this problem.
Sarge is not affected by this as the SNMP backend was 
introduced later.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5849

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -Naur cups-1.3.4/backend/snmp.c cups-1.3.4.new/backend/snmp.c
--- cups-1.3.4/backend/snmp.c	2007-07-11 23:46:42.000000000 +0200
+++ cups-1.3.4.new/backend/snmp.c	2007-12-10 12:56:12.680574919 +0100
@@ -1064,18 +1064,38 @@
     char          *string,		/* I  - String buffer */
     int           strsize)		/* I  - String buffer size */
 {
-  if (length < strsize)
+  if (length < 0)
   {
-    memcpy(string, *buffer, length);
+   /*
+    * Disallow negative lengths!
+    */
+
+    fprintf(stderr, "ERROR: Bad ASN1 string length %d!\n", length);
+    *string = '\0';
+  }
+  else if (length < strsize)
+  {
+   /*
+    * String is smaller than the buffer...
+    */
+
+    if (length > 0)
+      memcpy(string, *buffer, length);
+
     string[length] = '\0';
   }
   else
   {
+   /*
+    * String is larger than the buffer...
+    */
+
     memcpy(string, buffer, strsize - 1);
     string[strsize - 1] = '\0';
   }
 
-  (*buffer) += length;
+  if (length > 0)
+    (*buffer) += length;
 
   return (string);
 }

Attachment: pgp0Bjh79xLSq.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 457453-close@bugs.debian.org
• Subject: Bug#457453: fixed in cupsys 1.3.5-1
• From: Kenshi Muto <kmuto@debian.org>
• Date: Sun, 23 Dec 2007 03:02:03 +0000
• Message-id: <E1J6H6J-0003jd-RB@ries.debian.org>

Source: cupsys
Source-Version: 1.3.5-1

We believe that the bug you reported is fixed in the latest version of
cupsys, which is due to be installed in the Debian FTP archive:

cupsys-bsd_1.3.5-1_amd64.deb
  to pool/main/c/cupsys/cupsys-bsd_1.3.5-1_amd64.deb
cupsys-client_1.3.5-1_amd64.deb
  to pool/main/c/cupsys/cupsys-client_1.3.5-1_amd64.deb
cupsys-common_1.3.5-1_all.deb
  to pool/main/c/cupsys/cupsys-common_1.3.5-1_all.deb
cupsys-dbg_1.3.5-1_amd64.deb
  to pool/main/c/cupsys/cupsys-dbg_1.3.5-1_amd64.deb
cupsys_1.3.5-1.diff.gz
  to pool/main/c/cupsys/cupsys_1.3.5-1.diff.gz
cupsys_1.3.5-1.dsc
  to pool/main/c/cupsys/cupsys_1.3.5-1.dsc
cupsys_1.3.5-1_amd64.deb
  to pool/main/c/cupsys/cupsys_1.3.5-1_amd64.deb
cupsys_1.3.5.orig.tar.gz
  to pool/main/c/cupsys/cupsys_1.3.5.orig.tar.gz
libcupsimage2-dev_1.3.5-1_amd64.deb
  to pool/main/c/cupsys/libcupsimage2-dev_1.3.5-1_amd64.deb
libcupsimage2_1.3.5-1_amd64.deb
  to pool/main/c/cupsys/libcupsimage2_1.3.5-1_amd64.deb
libcupsys2-dev_1.3.5-1_amd64.deb
  to pool/main/c/cupsys/libcupsys2-dev_1.3.5-1_amd64.deb
libcupsys2_1.3.5-1_amd64.deb
  to pool/main/c/cupsys/libcupsys2_1.3.5-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 457453@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kenshi Muto <kmuto@debian.org> (supplier of updated cupsys package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 19 Dec 2007 17:07:05 +0900
Source: cupsys
Binary: libcupsys2-dev cupsys libcupsys2 libcupsimage2 cupsys-common cupsys-client cupsys-dbg cupsys-bsd libcupsimage2-dev
Architecture: source amd64 all
Version: 1.3.5-1
Distribution: unstable
Urgency: high
Maintainer: Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
Changed-By: Kenshi Muto <kmuto@debian.org>
Description: 
 cupsys     - Common UNIX Printing System(tm) - server
 cupsys-bsd - Common UNIX Printing System(tm) - BSD commands
 cupsys-client - Common UNIX Printing System(tm) - client programs (SysV)
 cupsys-common - Common UNIX Printing System(tm) - common files
 cupsys-dbg - Common UNIX Printing System(tm) - debugging symbols
 libcupsimage2 - Common UNIX Printing System(tm) - image libs
 libcupsimage2-dev - Common UNIX Printing System(tm) - image development files
 libcupsys2 - Common UNIX Printing System(tm) - libs
 libcupsys2-dev - Common UNIX Printing System(tm) - development files
Closes: 456960 457453
Changes: 
 cupsys (1.3.5-1) unstable; urgency=high
 .
   [ Kenshi Muto]
   * New upstream release
     - cups-stops-broadcasting-on-HUP-with-explicit-BrowseAddress patch is
       merged.
     - Fix that SNMP backend did not check for negative string lengths.
       (CVE-2007-5849, closes: #457453).
   * Update pdftops.pl to 1.20. It fixes overwriting arbitary files
     via symlink attack. (CVE-2007-6358, closes: #456960)
 .
   [ Till Kamppeter ]
   * debian/patches/fix_regression_reactivate_net_ifaces_changes_detection.dpatch :
     Fix a regression in upstream code that has removed the network interface
     update poll (CUPS STR #2631, LP: #177075). Thanks to Hugues Fournier
     (hugues dot fournier at gmail dot com) for the patch.
Files: 
 34ab1da2ab94b95ebdb75c6724575a89 1178 net optional cupsys_1.3.5-1.dsc
 7ceefb2be5e7c88fb243f587928251c1 4866646 net optional cupsys_1.3.5.orig.tar.gz
 4be5c1a0e97ecd01ded0df65a8759588 108040 net optional cupsys_1.3.5-1.diff.gz
 0726baffe8ed70d54bf06628f05241bb 1122672 net optional cupsys-common_1.3.5-1_all.deb
 039e94a80c0d3088dac65440c053c307 167480 libs optional libcupsys2_1.3.5-1_amd64.deb
 49f0732c95b805ebe5565fba82e0267d 88714 libs optional libcupsimage2_1.3.5-1_amd64.deb
 98489f3cd0a5f888c406d78f7cba830c 2095728 net optional cupsys_1.3.5-1_amd64.deb
 d4a4f0d523d8c422e6632241fa5be97b 88306 net optional cupsys-client_1.3.5-1_amd64.deb
 3429f845eeedc4233031f82a18f964d7 148854 libdevel optional libcupsys2-dev_1.3.5-1_amd64.deb
 7e8ecd59e0fa01e34a0032341e97ae35 59126 libdevel optional libcupsimage2-dev_1.3.5-1_amd64.deb
 a604f726aa3aae6bcd82b2c604d86f5d 37158 net extra cupsys-bsd_1.3.5-1_amd64.deb
 83c2f6120aa460c234191ecd1515e514 1123550 libdevel extra cupsys-dbg_1.3.5-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iEYEARECAAYFAkdty0AACgkQQKW+7XLQPLF7dACfVnnMGg4ZPIa4f+Z1O6gtDcCe
YM0AoIK1SLqt+Juu9kPTq3fsrlqi+S8/
=zyHV
-----END PGP SIGNATURE-----

--- End Message ---