Memory disclosure in CUPS with admin URLs #3577

Closed
michaelrsweet opened this Issue May 5, 2010 · 3 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented May 5, 2010

Version: 1.4-current
CUPS.org User: mike

See attached PDF, but in short, a URL like

http://127.0.0.1:631/admin?URL=/admin/&OP=%

will produce an error response that discloses a some uninitialised memory. This could be used to bypass ASLR, for example. The problem is in cgi-bin/var.c in cgi_initialize_string().

Collaborator

michaelrsweet commented May 5, 2010

CUPS.org User: mike

Fix is attached.

Collaborator

michaelrsweet commented Jun 16, 2010

CUPS.org User: mike

Fixed in Subversion repository.

Collaborator

michaelrsweet commented Jun 16, 2010

"str3577.patch":

Index: cgi-bin/var.c

--- cgi-bin/var.c (revision 2161)
+++ cgi-bin/var.c (working copy)
@@ -1111,6 +1111,9 @@
* Read the hex code...
*/

  •        if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255))
    
  •     return (0);
    
    •    if (s < (value + sizeof(value) - 1))
      
      {
      data ++;

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment