CVE-2010-0302: Incomplete fix for CVE-2009-3553 (STR #3200) #3490

Closed
michaelrsweet opened this Issue Feb 3, 2010 · 3 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented Feb 3, 2010

Version: 1.4.2
CUPS.org User: twaugh.redhat

The patch for STR #3200 is not complete for systems that use kqueue or epoll.

The cause is that the cupsdDoSelect() function uses one of several implementations depending on the underlying select/poll capabilities of the operating system. For kqueue and epoll implementations, cupsdRemoveSelect() does not immediately decrease the reference count for the file descriptor and instead adds it to the cupsd_inactive_fds array. File descriptors in that array are finally dereferenced just before cupsdDoSelect() returns.

The previous fix for CVE-2009-3553 was to check that another reference was held for the file descriptor before calling the write_cb function; however, that will always be the case for both the epoll and kqueue implementations.

The correct fix is to check whether the file descriptor is in the cupsd_inactive_fds array before calling the write_cb function.

Collaborator

michaelrsweet commented Feb 5, 2010

CUPS.org User: mike

Thanks, looking at this...

Collaborator

michaelrsweet commented Feb 5, 2010

CUPS.org User: mike

Verified this is the correct fix. Thanks!

Collaborator

michaelrsweet commented Jun 16, 2010

"0001-More-complete-fix-for-CVE-2009-3553.patch":

From b6b656f4b431574069d5b17dc6d3d44910269bb9 Mon Sep 17 00:00:00 2001
From: Tim Waugh twaugh@redhat.com
Date: Wed, 3 Feb 2010 16:07:11 +0000
Subject: [PATCH] More complete fix for CVE-2009-3553.


scheduler/select.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/scheduler/select.c b/scheduler/select.c
index 21a6edc..a2451a5 100644
--- a/scheduler/select.c
+++ b/scheduler/select.c
@@ -454,7 +454,8 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds /
if (fdptr->read_cb && event->filter == EVFILT_READ)
(
(fdptr->read_cb))(fdptr->data);

  • if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE)

  • if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE &&

  •    !cupsArrayFind(cupsd_inactive_fds, fdptr))
    

    (*(fdptr->write_cb))(fdptr->data);

    release_fd(fdptr);
    @@ -500,7 +501,8 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds /
    (
    (fdptr->read_cb))(fdptr->data);

    if (fdptr->use > 1 && fdptr->write_cb &&

  •   (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)))
    
  •        (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) &&
    
  •        !cupsArrayFind(cupsd_inactive_fds, fdptr))
    

    (*(fdptr->write_cb))(fdptr->data);

    release_fd(fdptr);

    1.6.6

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment