Memory disclosure in CUPS with admin URLs #3577

michaelrsweet · 2010-05-05T16:50:08Z

Version: 1.4-current
CUPS.org User: mike

See attached PDF, but in short, a URL like

http://127.0.0.1:631/admin?URL=/admin/&OP=%

will produce an error response that discloses a some uninitialised memory. This could be used to bypass ASLR, for example. The problem is in cgi-bin/var.c in cgi_initialize_string().

michaelrsweet · 2010-05-05T16:50:39Z

CUPS.org User: mike

Fix is attached.

michaelrsweet · 2010-06-16T00:24:57Z

CUPS.org User: mike

Fixed in Subversion repository.

michaelrsweet · 2010-06-16T00:24:57Z

"str3577.patch":

Index: cgi-bin/var.c

--- cgi-bin/var.c (revision 2161)
+++ cgi-bin/var.c (working copy)
@@ -1111,6 +1111,9 @@
* Read the hex code...
*/

       if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255))

    return (0);

   if (s < (value + sizeof(value) - 1))

{
data ++;

michaelrsweet closed this as completed Jun 16, 2010

michaelrsweet added the priority-medium label Mar 17, 2016

michaelrsweet added this to the Stable milestone Mar 17, 2016

michaelrsweet mentioned this issue Mar 17, 2016

AIX 5.3 - Update cups-config to allow Ghostscript to compile #3587

Closed

Memory disclosure in CUPS with admin URLs #3577

Memory disclosure in CUPS with admin URLs #3577

michaelrsweet commented May 5, 2010

michaelrsweet commented May 5, 2010

michaelrsweet commented Jun 16, 2010

michaelrsweet commented Jun 16, 2010

Memory disclosure in CUPS with admin URLs #3577

Memory disclosure in CUPS with admin URLs #3577

Comments

michaelrsweet commented May 5, 2010

michaelrsweet commented May 5, 2010

michaelrsweet commented Jun 16, 2010

michaelrsweet commented Jun 16, 2010

Index: cgi-bin/var.c