Date: Fri, 18 Jun 2010 19:13:06 +0200 (CEST) From: dirk.meyer@dinoex.sub.org To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/147978: print/cups-base CVE-2010-0302 Message-ID: <201006181713.o5IHD6Ex043188@home3.dinoex.sub.de> Resent-Message-ID: <201006181720.o5IHK4aa093592@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 147978 >Category: ports >Synopsis: print/cups-base CVE-2010-0302 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri Jun 18 17:20:03 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Dirk Meyer >Release: FreeBSD 8.1-PRERELEASE >Organization: privat >Environment: >Description: Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553. http://www.cups.org/articles.php?L596 http://secunia.com/advisories/cve_reference/CVE-2010-0302/ The code of the shared libs is not affected. Therefor the Fix is not urgent. >How-To-Repeat: Update needs appoval from portmrg@ >Fix: Please approve one of the patche below. a) small fix to fix the vulnerability b) update to 1.4.4 Impact: dependend packages will need a rebuild, to have the new version number recorden in dependency. a) Index: Makefile =================================================================== RCS file: /home/pcvs/ports/print/cups-base/Makefile,v retrieving revision 1.141 diff -u -r1.141 Makefile --- Makefile 5 Jun 2010 19:53:31 -0000 1.141 +++ Makefile 18 Jun 2010 17:06:07 -0000 @@ -89,6 +89,7 @@ PKGMESSAGE= ${NONEXISTENT} DESCR= ${MASTERDIR}/pkg-descr.image .else +PORTREVISION= 1 CONFLICTS+= cupsddk-* CUPS_SUFFIX= -base LIB_DEPENDS+= cups.2:${PORTSDIR}/${PKGCATEGORY}/cups-client \ Index: files/patch-CVE-2009-3553 =================================================================== RCS file: files/patch-CVE-2009-3553 diff -N files/patch-CVE-2009-3553 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-CVE-2009-3553 18 Jun 2010 17:06:07 -0000 @@ -0,0 +1,36 @@ +From b6b656f4b431574069d5b17dc6d3d44910269bb9 Mon Sep 17 00:00:00 2001 +From: Tim Waugh <twaugh@redhat.com> +Date: Wed, 3 Feb 2010 16:07:11 +0000 +Subject: [PATCH] More complete fix for CVE-2009-3553. + +--- + scheduler/select.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/scheduler/select.c b/scheduler/select.c +index 21a6edc..a2451a5 100644 +--- scheduler/select.c ++++ scheduler/select.c +@@ -454,7 +454,8 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */ + if (fdptr->read_cb && event->filter == EVFILT_READ) + (*(fdptr->read_cb))(fdptr->data); + +- if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE) ++ if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE && ++ !cupsArrayFind(cupsd_inactive_fds, fdptr)) + (*(fdptr->write_cb))(fdptr->data); + + release_fd(fdptr); +@@ -500,7 +501,8 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */ + (*(fdptr->read_cb))(fdptr->data); + + if (fdptr->use > 1 && fdptr->write_cb && +- (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP))) ++ (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) && ++ !cupsArrayFind(cupsd_inactive_fds, fdptr)) + (*(fdptr->write_cb))(fdptr->data); + + release_fd(fdptr); +-- +1.6.6 + b) diff -ur --exclude=CVS --exclude=Makefile.local ./Makefile /usr/ports/current/cups-base/Makefile --- ./Makefile 2010-06-18 19:05:30.000000000 +0200 +++ /usr/ports/current/cups-base/Makefile 2010-06-18 13:18:21.000000000 +0200 @@ -6,7 +6,7 @@ # PORTNAME= cups -PORTVERSION= 1.4.3 +PORTVERSION= 1.4.4 DISTVERSIONSUFFIX= -source PORTREVISION= 0 CATEGORIES= print diff -ur --exclude=CVS --exclude=Makefile.local ./distinfo /usr/ports/current/cups-base/distinfo --- ./distinfo 2010-04-02 05:47:19.000000000 +0200 +++ /usr/ports/current/cups-base/distinfo 2010-06-18 13:18:45.000000000 +0200 @@ -1,3 +1,3 @@ -MD5 (cups-1.4.3-source.tar.bz2) = e70b1c3f60143d7310c1d74c111a21ab -SHA256 (cups-1.4.3-source.tar.bz2) = 47a559b1c50192b94479ae7dab132ea0008727045d4993501cf0a6df0c64db97 -SIZE (cups-1.4.3-source.tar.bz2) = 4461101 +MD5 (cups-1.4.4-source.tar.bz2) = 8776403ad60fea9e85eab9c04d88560d +SHA256 (cups-1.4.4-source.tar.bz2) = d25ffa35add3abeeec0eba60be2cffc89425b649c64ef3a73dfc724683a59aa3 +SIZE (cups-1.4.4-source.tar.bz2) = 4472741 >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201006181713.o5IHD6Ex043188>