New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Infinite loop when not compiled with HAVE_GSSAPI #3518
Comments
CUPS.org User: mike OK, I've opted to just move the check for both regular and Kerberos above the setting of the auth string - patch attached. |
CUPS.org User: bernerus OK. That looks even better, Thanks! |
CUPS.org User: mike Fixed in Subversion repository. |
CUPS.org User: kurtseifried CVE-2010-2432 has been assigned for this. |
CUPS.org User: thoger Do you have any minimal reproducer that triggers this flaw? I presume the was requesting Negotiate authentication. Reading the patch, I'm wondering if it does what it was intended to do. Based on the previous comments and article L596, it seems intention was to cancel even non-Negotiate authentication after 3 failures by moving "Too many authentication tries" error to a common code path. However, following precedes that check: if ((http->digest_tries > 1 || !http->userpass[0]) && which leads to password callback call for non-Negotiate authentications and reset of digest_tries counter. So instead of "Too many tries" error, there's another password prompt. Depending on the callback function, this may keep resending password to the server which replies with "unauthorized" without being cancelled as expected (?). Or was there some additional loop that did not involve active request-unauthorized network communication? |
CUPS.org User: mike The intent was to make sure that non-password authentication was not tried too many times. When password authentication is requested we'll keep retrying until the password callback returns NULL or the server returns a "forbidden" status. |
"str3518.patch": Index: cups/auth.c--- cups/auth.c (revision 9016)
/*
- http->status = HTTP_AUTHORIZATION_CANCELED;
- }
|
Version: 1.4.2
CUPS.org User: bernerus
If cups is compiled without HAVE_GSSAPI and is used with a server that requires authorization, the client gets into an infinite loop.
Without HAVE_GSSAPI there is no code in auth.c that tests the
http->digest_tries variable.
The bug does not show unless the http input buffer is flushed after receiving a HTTP_UNAUTHORIZED, which is necessary to do. If that is not done, submission fails before getting into this loop.
Fix:
--- cups/auth.c (revision 9014)
+++ cups/auth.c (working copy)
@@ -392,6 +394,13 @@
httpSetAuthString(http, "Digest", digest);
}
DEBUG_printf(("1cupsDoAuthentication: authstring="%s"", http->authstring));
return (0);
The text was updated successfully, but these errors were encountered: