Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2010-0302: Incomplete fix for CVE-2009-3553 (STR #3200) #3490

Closed
michaelrsweet opened this issue Feb 3, 2010 · 3 comments
Closed

CVE-2010-0302: Incomplete fix for CVE-2009-3553 (STR #3200) #3490

michaelrsweet opened this issue Feb 3, 2010 · 3 comments
Labels
priority-medium
Milestone
Stable

Comments

@michaelrsweet
Copy link
Collaborator

@michaelrsweet michaelrsweet commented Feb 3, 2010

Version: 1.4.2
CUPS.org User: twaugh.redhat

The patch for STR #3200 is not complete for systems that use kqueue or epoll.

The cause is that the cupsdDoSelect() function uses one of several implementations depending on the underlying select/poll capabilities of the operating system. For kqueue and epoll implementations, cupsdRemoveSelect() does not immediately decrease the reference count for the file descriptor and instead adds it to the cupsd_inactive_fds array. File descriptors in that array are finally dereferenced just before cupsdDoSelect() returns.

The previous fix for CVE-2009-3553 was to check that another reference was held for the file descriptor before calling the write_cb function; however, that will always be the case for both the epoll and kqueue implementations.

The correct fix is to check whether the file descriptor is in the cupsd_inactive_fds array before calling the write_cb function.
@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Feb 5, 2010

CUPS.org User: mike

Thanks, looking at this...

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Feb 5, 2010

CUPS.org User: mike

Verified this is the correct fix. Thanks!

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Jun 16, 2010

"0001-More-complete-fix-for-CVE-2009-3553.patch":

From b6b656f4b431574069d5b17dc6d3d44910269bb9 Mon Sep 17 00:00:00 2001
From: Tim Waugh twaugh@redhat.com
Date: Wed, 3 Feb 2010 16:07:11 +0000
Subject: [PATCH] More complete fix for CVE-2009-3553.

scheduler/select.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/scheduler/select.c b/scheduler/select.c
index 21a6edc..a2451a5 100644
--- a/scheduler/select.c
+++ b/scheduler/select.c
@@ -454,7 +454,8 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds /
if (fdptr->read_cb && event->filter == EVFILT_READ)
((fdptr->read_cb))(fdptr->data);

  • if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE)

  • if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE &&

  •    !cupsArrayFind(cupsd_inactive_fds, fdptr))

    (*(fdptr->write_cb))(fdptr->data);

    release_fd(fdptr);
    @@ -500,7 +501,8 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds /
    (    (fdptr->read_cb))(fdptr->data);

    if (fdptr->use > 1 && fdptr->write_cb &&

  •   (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)))

  •        (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) &&

  •        !cupsArrayFind(cupsd_inactive_fds, fdptr))

    (*(fdptr->write_cb))(fdptr->data);

    release_fd(fdptr);

    1.6.6

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority-medium
Projects
None yet
Milestone
Stable
Development

No branches or pull requests
1 participant
@michaelrsweet