Related information

Дырки  в cups

CUPS ippRead() attribute name buffer overflow

MDKSA-2001:023 - cups update

MDKSA-2001:020 - cups update

MDKSA-2000:070 - cups update

From:	Jeff Licquia
Date:	21.06.2000
Subject:	CUPS DoS Bugs

A Debian user (thanks, Alexander Hvostov!) reported a DoS bug in
Debian's CUPS packages (cupsys).  After working with the vendor on the
issue, they subsequently discovered a few more.  The original bug, at
least, is remotely exploitable.  The beta versions of CUPS 1.1 are not
vulnurable, at least since beta 3.

A patch is available from Easy Software Products at:

 ftp://ftp.easysw.com/pub/cups/1.0.5

Debian 2.1 ("slink") is unaffected, as it does not include the cupsys
packages.  Debian 2.2 ("potato") and Debian unstable ("woody") are
affected.  The fixed packages are version 1.0.4-7; they will be
installed as part of the next Test Cycle for potato.  They are also
available (for i386) at:

 http://www.debian.org/~licquia/cupsys_1.0.4-7_i386.deb
 http://www.debian.org/~licquia/cupsys-bsd_1.0.4-7_i386.deb
 http://www.debian.org/~licquia/libcupsys1_1.0.4-7_i386.deb
 http://www.debian.org/~licquia/libcupsys1-dev_1.0.4-7_i386.deb

For other architectures (or if you prefer building from source), here
is the patch to build the packages:

 http://www.debian.org/~licquia/cupsys_1.0.4-7.diff.gz

My thanks to the original reporter of the bug, Alexander Hvostov, for
his patience, and to Easy Software Products and Michael Sweet for
being both responsive and responsible.

Here is the blurb from the top of the vendor patch file:
-----

CUPS 1.0.5 Denial of Service Patch Set #1 - 06/16/2000
------------------------------------------------------

This patch file fixes potential Denial-of-Service bugs in CUPS 1.0.5.
These fixes are also part of CUPS 1.1b3 and beyond.

Specific DoS fixes:  

   - Malformed IPP requests could crash cupsd.
   - Standard CGI form POSTs could crash cupsd.
   - The cupsd program did not always delete request files when
     needed.
   - Authenticating with a non-existent user or a user with
     no shadow password could crash cupsd.

This patch set also includes:

   - cupsSystem() didn't close the cupsd.conf file.
   - The texttops filter made underlines that were too
     thick.
   - The lpstat command didn't show a device for remote
     printers, and would stop the listing prematurely.
   - The lpstat command didn't show printers after the
     first printer with an active job.
   - Remote raw IPP printing didn't pass the raw option
     properly.

Please report any problems with this patch to "cups-support@cups.org".