[Sun] Schwachstellen im Common Unix Printing System (CUPS) - Sun Alert ID: 57646

win-sec-ssc at dfn-cert.de win-sec-ssc at dfn-cert.de
Tue Oct 12 13:41:04 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.

Das Paket foomatic-filters enthaelt eine Reihe von Filtern fuer den
Betrieb von Druckern und wird oft zusammen mit dem cups-Printserver
(cupsd) installiert.

CAN-2004-0801 - Remote Code-Ausfuehrung durch Schwachstelle in
foomatic-filters

  Ein Fehler im Filter foomatic-rip, der Bestandteil des Pakets
  foomatic-filters ist, ermoeglicht einem entfernten Angreifer,
  beliebige Befehle mit den Berechtigungen des cups-Printservers (im
  Allgemeinen "lp") auszufuehren. Dazu muss der Angreifer jedoch Zugriff
  auf den Printserver haben (Berechtigung zum Drucken ueber einen ACL
  Eintrag).

CAN-2004-0558 - Denial of Service durch Schwachstelle in cupsd

  Ein Fehler bei der Verarbeitung von UDP-Paketen durch cupsd
  ermoeglicht einem entfernten Angreifer, den Printserver teilweise
  ausser Funktion zu setzen.

  Sendet er ein leeres UDP-Paket an Port 631 eines im Netzwerk
  erreichbaren Printservers, so kann cupsd entfernte Drucker nicht mehr
  ansprechen (Denial of Service).


Betroffen sind die folgenden Software Pakete und Plattformen:

  CUPS Versionen vor inkl. cups-libs-1.1.15-150

in

  Sun Java Desktop System (JDS) 2003 ohne patch-9321
  Sun Java Desktop System (JDS) Release 2 ohne patch-9321 
  
Sun Java Desktop System (JDS) fuer Solaris ist *nicht* betroffen.

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,


           Jan Kohlrausch, DFN-CERT

- --
Jan Kohlrausch (CSIRT), DFN-CERT Services GmbH
Web: https://www.dfn-cert.de/, Phone: +49-40-808077-555
PGP RSA/2048, A5DD03D1, A2 55 1C 51 0A 30 3E 78  5B 40 DA B7 14 F7 C9 E8


*Document ID:*	57646
*Title:*	Document ID 57646
*Synopsis:*	Security Vulnerabilities in Common Unix Printing System
(CUPS) May Allow a Remote Unprivileged User to Execute Arbitrary Code
*Update Date:*	2004-10-11

- ------------------------------------------------------------------------
*Description*	*Top <#top>*


    Sun(sm) Alert Notification

    * Sun Alert ID: 57646
    * Synopsis: Security Vulnerabilities in Common Unix Printing System
      (CUPS) May Allow a Remote Unprivileged User to Execute Arbitrary Code
    * Category: Security
    * Product: Sun Java Desktop System (JDS)
    * BugIDs: 5102516
    * Avoidance: Patch
    * State: Resolved
    * Date Released: 07-Oct-2004
    * Date Closed: 07-Oct-2004
    * Date Modified: 


    1. Impact

Due to improper command line and environment variable validation, a
remote or local unprivileged user may be able to execute arbitrary
commands with the privileges of the CUPS daemon (cupsd(8)), which is
typically the unprivileged "lp" user. Furthermore, a remote Denial of
Service (DoS) condition within CUPS may allow remote unprivileged users
to cause the CUPS server to become unresponsive.

*Note:* The Common Unix Printing System (CUPS) is a cross-platform
printing solution for all UNIX environments. It is based on the Internet
Printing Protocol (IPP) and provides complete printing services to most
PostScript and raster printers.

These issues are described in the following documents:

    * SUSE-SA:2004:031 at http://www.suse.com/de/security/2004_31_cups.html
    * CAN-2004-0801 at
      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0801
    * CAN-2004-0558 at
      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558 


    2. Contributing Factors

These issues can occur in the following releases:

*Linux*

    * Sun Java Desktop System (JDS) 2003 without the updated RPMs
      (patch-9321)
    * Sun Java Desktop System (JDS) Release 2 without the updated RPMs
      (patch-9321) 

*Note:* JDS for Solaris is not impacted by these issues.

These issues only occur with CUPS versions cups-libs-1.1.15-150 or earlier.

To determine the release of JDS for Linux installed on a system, the
following command can be run:

    % *cat /etc/sun-release*    
    Sun Java Desktop System, Release 2 -build 10b (GA)
    Assembled 30 March 2004                                                            

To determine the version of CUPS, the following command can be run:

    % *rpm -qf /usr/lib/libcups.so.2*
    cups-libs-1.1.15-1                  


    3. Symptoms

There are no reliable symptoms that would show the buffer overflow issue
described has been exploited. The CUPS daemon cupsd(8) will become
unresponsive when the Denial of Service (DoS) attack has been exploited.

*Solution Summary*	*Top <#top>*


    4. Relief/Workaround

There is no workaround. Please see the "Resolution" section below.


    5. Resolution

These issues are addressed in the following releases:

*Linux*

    * Sun Java Desktop System (JDS) 2003 with the updated RPMs (patch-9321)
    * Sun Java Desktop System (JDS) Release 2 with the updated RPMs
      (patch-9321) 

To download and install the updated RPMs from the update servers select
the following from the launch bar:

    Launch >> Applications >> System Tools >> Online Update                                                            

For more information on obtaining updates see:

    * http://wwws.sun.com/software/javadesktopsystem/faq.html#5q5
    * http://wwws.sun.com/software/javadesktopsystem/faq.html#5q7 

/This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements./

/Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved./

*Applies To*	

*Attachments*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iQEVAwUBQWvCFeI9ttyl3QPRAQF7UAgAnah76ECPRSnIEUbkh/XcBofmFCKGxj+m
vUA1vakLgSGh8IH42GF6vtX+nkfFf8D/FoILRFjgrV1ZytdT9UozYUqljAoyqZQ1
uU47nVLwOjcY/xYNVDAw/mEH6cm514etWhkKfcu8DEDLYtt8fGYscJU5WmdQzn2B
ib2zmm9YZh809hojxqO5smCBhZQxeo7kozPxWINv90D8I3EV8/9zuTpSerd+nhS0
NflVUoqIez5xvlMCbtUNKk5PkZhrDwe9vSRkz8QLV9tCF9L3JUXJvnPnJ/m7v8Ky
6eH/e6hqur710rGCxyPQa8SXIwmopu9jQgsVtrxR6IzjXD/vygSk8A==
=PDCd
-----END PGP SIGNATURE-----




More information about the Security-Announce mailing list