phpcups: Unchecked strcpy leads to buffer overflow #1102
Closed
Labels
Milestone
Comments
|
CUPS.org User: mike Thanks for the report; currently none of the scripting code is actually installed or built by the CUPS makefiles, it is more of a "contrib" style thing, but we will make sure this is fixed. |
|
CUPS.org User: mike |
|
CUPS.org User: mike Fixed in Subversion repository. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version: 1.1.23rc1
CUPS.org User: KrispyKringle
In multiple functions included in the phpcups PHP module, function parameter lengths are not checked before being strcpy'ed into a fixed-length buffer. This allows a classic stack pointer overwrite and remote code execuution, were an attacker able to control input to those functions (say, through a web page that exposes the vulnerable functions).
An example is "cups_get_dest_options", in phpcups.c on lines 308-313. Multiple other functions in this same file commit the same error.
Clearly, these are unlikely to be exploited, but probably ought to be fixed in a timely manner. We probably will not bother to issue a security advisory ourselves, however, since phpcups is not enabled in Gentoo distributions by default.
Credit for this goes to Florian Schilhabel of the Gentoo Security Audit Team.
The text was updated successfully, but these errors were encountered: