Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

phpcups: Unchecked strcpy leads to buffer overflow #1102

Closed
michaelrsweet opened this issue Mar 4, 2005 · 3 comments
Closed

phpcups: Unchecked strcpy leads to buffer overflow #1102

michaelrsweet opened this issue Mar 4, 2005 · 3 comments
Labels
Milestone

Comments

@michaelrsweet
Copy link
Collaborator

@michaelrsweet michaelrsweet commented Mar 4, 2005

Version: 1.1.23rc1
CUPS.org User: KrispyKringle

In multiple functions included in the phpcups PHP module, function parameter lengths are not checked before being strcpy'ed into a fixed-length buffer. This allows a classic stack pointer overwrite and remote code execuution, were an attacker able to control input to those functions (say, through a web page that exposes the vulnerable functions).

An example is "cups_get_dest_options", in phpcups.c on lines 308-313. Multiple other functions in this same file commit the same error.

Clearly, these are unlikely to be exploited, but probably ought to be fixed in a timely manner. We probably will not bother to issue a security advisory ourselves, however, since phpcups is not enabled in Gentoo distributions by default.

Credit for this goes to Florian Schilhabel of the Gentoo Security Audit Team.

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Mar 4, 2005

CUPS.org User: mike

Thanks for the report; currently none of the scripting code is actually installed or built by the CUPS makefiles, it is more of a "contrib" style thing, but we will make sure this is fixed.

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Apr 27, 2005

CUPS.org User: mike

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Feb 25, 2006

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant