Memory disclosure in CUPS with admin URLs #3577

michaelrsweet · 2010-05-05T16:50:08Z

Version: 1.4-current
CUPS.org User: mike

See attached PDF, but in short, a URL like

http://127.0.0.1:631/admin?URL=/admin/&OP=%

will produce an error response that discloses a some uninitialised memory. This could be used to bypass ASLR, for example. The problem is in cgi-bin/var.c in cgi_initialize_string().

michaelrsweet · 2010-05-05T16:50:39Z

CUPS.org User: mike

Fix is attached.

michaelrsweet · 2010-06-16T00:24:57Z

CUPS.org User: mike

Fixed in Subversion repository.

michaelrsweet · 2010-06-16T00:24:57Z

"str3577.patch":

Index: cgi-bin/var.c

--- cgi-bin/var.c (revision 2161)
+++ cgi-bin/var.c (working copy)
@@ -1111,6 +1111,9 @@
* Read the hex code...
*/

       if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255))

    return (0);

   if (s < (value + sizeof(value) - 1))

{
data ++;

michaelrsweet closed this Jun 16, 2010

michaelrsweet added the P3 - Moderate label Mar 17, 2016

michaelrsweet added this to the Stable milestone Mar 17, 2016

michaelrsweet mentioned this issue Mar 17, 2016

AIX 5.3 - Update cups-config to allow Ghostscript to compile #3587

Closed

apple / cups

Memory disclosure in CUPS with admin URLs #3577

Memory disclosure in CUPS with admin URLs #3577

michaelrsweet commented May 5, 2010

This comment has been minimized.

michaelrsweet commented May 5, 2010

This comment has been minimized.

michaelrsweet commented Jun 16, 2010

This comment has been minimized.

michaelrsweet commented Jun 16, 2010

apple / cups

Join GitHub today

Memory disclosure in CUPS with admin URLs #3577

Memory disclosure in CUPS with admin URLs #3577

Comments

michaelrsweet commented May 5, 2010

This comment has been minimized.

michaelrsweet commented May 5, 2010

This comment has been minimized.

michaelrsweet commented Jun 16, 2010

This comment has been minimized.

michaelrsweet commented Jun 16, 2010

Index: cgi-bin/var.c