The patch for STR #3200 is not complete for systems that use kqueue or epoll.
The cause is that the cupsdDoSelect() function uses one of several implementations depending on the underlying select/poll capabilities of the operating system. For kqueue and epoll implementations, cupsdRemoveSelect() does not immediately decrease the reference count for the file descriptor and instead adds it to the cupsd_inactive_fds array. File descriptors in that array are finally dereferenced just before cupsdDoSelect() returns.
The previous fix for CVE-2009-3553 was to check that another reference was held for the file descriptor before calling the write_cb function; however, that will always be the case for both the epoll and kqueue implementations.
The correct fix is to check whether the file descriptor is in the cupsd_inactive_fds array before calling the write_cb function.
The text was updated successfully, but these errors were encountered:
From b6b656f4b431574069d5b17dc6d3d44910269bb9 Mon Sep 17 00:00:00 2001
From: Tim Waugh twaugh@redhat.com
Date: Wed, 3 Feb 2010 16:07:11 +0000
Subject: [PATCH] More complete fix for CVE-2009-3553.
Version: 1.4.2
CUPS.org User: twaugh.redhat
The patch for STR #3200 is not complete for systems that use kqueue or epoll.
The cause is that the cupsdDoSelect() function uses one of several implementations depending on the underlying select/poll capabilities of the operating system. For kqueue and epoll implementations, cupsdRemoveSelect() does not immediately decrease the reference count for the file descriptor and instead adds it to the cupsd_inactive_fds array. File descriptors in that array are finally dereferenced just before cupsdDoSelect() returns.
The previous fix for CVE-2009-3553 was to check that another reference was held for the file descriptor before calling the write_cb function; however, that will always be the case for both the epoll and kqueue implementations.
The correct fix is to check whether the file descriptor is in the cupsd_inactive_fds array before calling the write_cb function.
The text was updated successfully, but these errors were encountered: