Vulnerabilities > CVE-2004-1269

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
easy-software-products
redhat
nessus
exploit available

Summary

lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail.

Exploit-Db

descriptionEasy Software Products LPPassWd 1.1.22 Resource Limit Denial Of Service Vulnerability. CVE-2004-1269. Dos exploit for windows platform
idEDB-ID:25012
last seen2016-02-03
modified2004-12-11
published2004-12-11
reporterBartlomiej Sieka
sourcehttps://www.exploit-db.com/download/25012/
titleEasy Software Products LPPassWd 1.1.22 Resource Limit Denial of Service Vulnerability

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-50-1.NASL
    descriptionCAN-2004-1125 : The recent USN-48-1 fixed a buffer overflow in xpdf. Since CUPS contains xpdf code to convert incoming PDF files to the PostScript format, this vulnerability applies to cups as well. In this case it could even lead to privilege escalation: if an attacker submitted a malicious PDF file for printing, he could be able to execute arbitrary commands with the privileges of the CUPS server. Please note that the Ubuntu version of CUPS runs as a minimally privileged user
    last seen2020-06-01
    modified2020-06-02
    plugin id20668
    published2006-01-15
    reporterUbuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20668
    titleUbuntu 4.10 : cupsys vulnerabilities (USN-50-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-50-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20668);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:33:00");
    
      script_cve_id("CVE-2004-1125", "CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270", "CVE-2004-2467");
      script_xref(name:"USN", value:"50-1");
    
      script_name(english:"Ubuntu 4.10 : cupsys vulnerabilities (USN-50-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CAN-2004-1125 :
    
    The recent USN-48-1 fixed a buffer overflow in xpdf. Since CUPS
    contains xpdf code to convert incoming PDF files to the PostScript
    format, this vulnerability applies to cups as well.
    
    In this case it could even lead to privilege escalation: if
    an attacker submitted a malicious PDF file for printing, he
    could be able to execute arbitrary commands with the
    privileges of the CUPS server.
    
    Please note that the Ubuntu version of CUPS runs as a
    minimally privileged user 'cupsys' by default, so there is
    no possibility of root privilege escalation. The privileges
    of the 'cupsys' user are confined to modifying printer
    configurations, altering print jobs, and controlling
    printers.
    
    CAN-2004-1267 :
    
    Ariel Berkman discovered a buffer overflow in the ParseCommand()
    function of the HPGL input driver. If an attacker printed a malicious
    HPGL file, they could exploit this to execute arbitrary commands with
    the privileges of the CUPS server.
    
    CAN-2004-1268, CAN-2004-1269, CAN-2004-1270 :
    
    Bartlomiej Sieka discovered three flaws in lppasswd. These allowed
    users to corrupt the new password file by filling up the disk, sending
    certain signals, or closing the standard output and/or error streams.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys-bsd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsimage2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsimage2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsys2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsys2-gnutls10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/12/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"4.10", pkgname:"cupsys", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cupsys-bsd", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cupsys-client", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libcupsimage2", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libcupsimage2-dev", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libcupsys2-dev", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libcupsys2-gnutls10", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cupsys / cupsys-bsd / cupsys-client / libcupsimage2 / etc");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_7850A238680A11D9A9E70001020EED82.NASL
    descriptionD. J. Bernstein reports that Bartlomiej Sieka has discovered several security vulnerabilities in lppasswd, which is part of CUPS. In the following excerpt from Bernstein
    last seen2020-06-01
    modified2020-06-02
    plugin id18990
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18990
    titleFreeBSD : cups-lpr -- lppasswd multiple vulnerabilities (7850a238-680a-11d9-a9e7-0001020eed82)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18990);
      script_version("1.23");
      script_cvs_date("Date: 2019/08/02 13:32:37");
    
      script_cve_id("CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270");
      script_bugtraq_id(12004, 12007);
    
      script_name(english:"FreeBSD : cups-lpr -- lppasswd multiple vulnerabilities (7850a238-680a-11d9-a9e7-0001020eed82)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "D. J. Bernstein reports that Bartlomiej Sieka has discovered several
    security vulnerabilities in lppasswd, which is part of CUPS. In the
    following excerpt from Bernstein's email, CVE names have been added
    for each issue :
    
    First, lppasswd blithely ignores write errors in fputs(line,outfile)
    at lines 311 and 315 of lppasswd.c, and in fprintf(...) at line 346.
    An attacker who fills up the disk at the right moment can arrange for
    /usr/local/etc/cups/passwd to be truncated. (CAN-2004-1268)
    
    Second, if lppasswd bumps into a file-size resource limit while
    writing passwd.new, it leaves passwd.new in place, disabling all
    subsequent invocations of lppasswd. Any local user can thus disable
    lppasswd... (CAN-2004-1269)
    
    Third, line 306 of lppasswd.c prints an error message to stderr but
    does not exit. This is not a problem on systems that ensure that file
    descriptors 0, 1, and 2 are open for setuid programs, but it is a
    problem on other systems; lppasswd does not check that passwd.new is
    different from stderr, so it ends up writing a user-controlled error
    message to passwd if the user closes file descriptor 2.
    (CAN-2004-1270)
    
    Note: The third issue, CVE-2004-1270, does not affect FreeBSD
    4.6-RELEASE or later systems, as these systems ensure that the file
    descriptors 0, 1, and 2 are always open for set-user-ID and
    set-group-ID programs."
      );
      # http://www.cups.org/str.php?L1023
      script_set_attribute(
        attribute:"see_also",
        value:"https://github.com/apple/cups/issues/1023"
      );
      # http://tigger.uic.edu/~jlongs2/holes/cups2.txt
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?afff57c3"
      );
      # https://vuxml.freebsd.org/freebsd/7850a238-680a-11d9-a9e7-0001020eed82.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3566bddf"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:cups-lpr");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:fr-cups-lpr");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"cups-lpr<1.1.23")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"fr-cups-lpr<1.1.23")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200412-25.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200412-25 (CUPS: Multiple vulnerabilities) CUPS makes use of vulnerable Xpdf code to handle PDF files (CAN-2004-1125). Furthermore, Ariel Berkman discovered a buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program (CAN-2004-1267). Finally, Bartlomiej Sieka discovered several problems in the lppasswd program: it ignores some write errors (CAN-2004-1268), it can leave the passwd.new file in place (CAN-2004-1269) and it does not verify that passwd.new file is different from STDERR (CAN-2004-1270). Impact : The Xpdf and hpgltops vulnerabilities may be exploited by a remote attacker to execute arbitrary code by sending specific print jobs to a CUPS spooler. The lppasswd vulnerabilities may be exploited by a local attacker to write data to the CUPS password file or deny further password modifications. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id16067
    published2004-12-28
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16067
    titleGLSA-200412-25 : CUPS: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200412-25.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16067);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:42");
    
      script_cve_id("CVE-2004-1125", "CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270");
      script_xref(name:"GLSA", value:"200412-25");
    
      script_name(english:"GLSA-200412-25 : CUPS: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200412-25
    (CUPS: Multiple vulnerabilities)
    
        CUPS makes use of vulnerable Xpdf code to handle PDF files
        (CAN-2004-1125). Furthermore, Ariel Berkman discovered a buffer
        overflow in the ParseCommand function in hpgl-input.c in the hpgltops
        program (CAN-2004-1267). Finally, Bartlomiej Sieka discovered several
        problems in the lppasswd program: it ignores some write errors
        (CAN-2004-1268), it can leave the passwd.new file in place
        (CAN-2004-1269) and it does not verify that passwd.new file is
        different from STDERR (CAN-2004-1270).
      
    Impact :
    
        The Xpdf and hpgltops vulnerabilities may be exploited by a remote
        attacker to execute arbitrary code by sending specific print jobs to a
        CUPS spooler. The lppasswd vulnerabilities may be exploited by a local
        attacker to write data to the CUPS password file or deny further
        password modifications.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      # http://tigger.uic.edu/~jlongs2/holes/cups.txt
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f172fa2d"
      );
      # http://tigger.uic.edu/~jlongs2/holes/cups2.txt
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?afff57c3"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200412-25"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All CUPS users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-print/cups-1.1.23'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:cups");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/12/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/28");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-print/cups", unaffected:make_list("ge 1.1.23"), vulnerable:make_list("lt 1.1.23"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "CUPS");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-053.NASL
    descriptionUpdated CUPS packages that fix several security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf, which also affects CUPS due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. This issue was assigned the name CVE-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0206 to this issue. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id17174
    published2005-02-22
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17174
    titleRHEL 4 : CUPS (RHSA-2005:053)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:053. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17174);
      script_version ("1.23");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2004-0888", "CVE-2004-1125", "CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270", "CVE-2005-0064", "CVE-2005-0206");
      script_xref(name:"RHSA", value:"2005:053");
    
      script_name(english:"RHEL 4 : CUPS (RHSA-2005:053)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated CUPS packages that fix several security issues are now
    available.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    The Common UNIX Printing System provides a portable printing layer for
    UNIX(R) operating systems.
    
    During a source code audit, Chris Evans and others discovered a number
    of integer overflow bugs that affected all versions of Xpdf, which
    also affects CUPS due to a shared codebase. An attacker could
    construct a carefully crafted PDF file that could cause CUPS to crash
    or possibly execute arbitrary code when opened. This issue was
    assigned the name CVE-2004-0888 by The Common Vulnerabilities and
    Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4
    contained a fix for this issue, but it was found to be incomplete and
    left 64-bit architectures vulnerable. The Common Vulnerabilities and
    Exposures project (cve.mitre.org) has assigned the name CVE-2005-0206
    to this issue.
    
    A buffer overflow flaw was found in the Gfx::doImage function of Xpdf
    which also affects the CUPS pdftops filter due to a shared codebase.
    An attacker who has the ability to send a malicious PDF file to a
    printer could possibly execute arbitrary code as the 'lp' user. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2004-1125 to this issue.
    
    A buffer overflow flaw was found in the ParseCommand function in the
    hpgltops program. An attacker who has the ability to send a malicious
    HPGL file to a printer could possibly execute arbitrary code as the
    'lp' user. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2004-1267 to this issue.
    
    A buffer overflow flaw was found in the Decrypt::makeFileKey2 function
    of Xpdf which also affects the CUPS pdftops filter due to a shared
    codebase. An attacker who has the ability to send a malicious PDF file
    to a printer could possibly execute arbitrary code as the 'lp' user.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2005-0064 to this issue.
    
    The lppasswd utility was found to ignore write errors when modifying
    the CUPS passwd file. A local user who is able to fill the associated
    file system could corrupt the CUPS password file or prevent future
    uses of lppasswd. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the names CVE-2004-1268 and CVE-2004-1269
    to these issues.
    
    The lppasswd utility was found to not verify that the passwd.new file
    is different from STDERR, which could allow local users to control
    output to passwd.new via certain user input that triggers an error
    message. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2004-1270 to this issue.
    
    All users of cups should upgrade to these updated packages, which
    contain backported patches to resolve these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1125"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1267"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1268"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1269"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1270"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0064"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0206"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:053"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected cups, cups-devel and / or cups-libs packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/02/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:053";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL4", reference:"cups-1.1.22-0.rc1.9.6")) flag++;
      if (rpm_check(release:"RHEL4", reference:"cups-devel-1.1.22-0.rc1.9.6")) flag++;
      if (rpm_check(release:"RHEL4", reference:"cups-libs-1.1.22-0.rc1.9.6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-devel / cups-libs");
      }
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-008.NASL
    descriptionA buffer overflow was discovered in the ParseCommand function in the hpgltops utility. An attacker with the ability to send malicious HPGL files to a printer could possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id16184
    published2005-01-18
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16184
    titleMandrake Linux Security Advisory : cups (MDKSA-2005:008)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2005:008. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16184);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:47");
    
      script_cve_id("CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270");
      script_xref(name:"MDKSA", value:"2005:008");
    
      script_name(english:"Mandrake Linux Security Advisory : cups (MDKSA-2005:008)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A buffer overflow was discovered in the ParseCommand function in the
    hpgltops utility. An attacker with the ability to send malicious HPGL
    files to a printer could possibly execute arbitrary code as the 'lp'
    user (CVE-2004-1267).
    
    Vulnerabilities in the lppasswd utility were also discovered. The
    program ignores write errors when modifying the CUPS passwd file. A
    local user who is able to fill the associated file system could
    corrupt the CUPS passwd file or prevent future use of lppasswd
    (CVE-2004-1268 and CVE-2004-1269). As well, lppasswd does not verify
    that the passwd.new file is different from STDERR, which could allow a
    local user to control output to passwd.new via certain user input that
    could trigger an error message (CVE-2004-1270).
    
    The updated packages have been patched to prevent these problems."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups-serial");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cups2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cups2-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libcups2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libcups2-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK10.0", reference:"cups-1.1.20-5.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"cups-common-1.1.20-5.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"cups-serial-1.1.20-5.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64cups2-1.1.20-5.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64cups2-devel-1.1.20-5.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libcups2-1.1.20-5.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libcups2-devel-1.1.20-5.5.100mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK10.1", reference:"cups-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"cups-common-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"cups-serial-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64cups2-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64cups2-devel-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libcups2-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libcups2-devel-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.2", reference:"cups-1.1.19-10.5.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", reference:"cups-common-1.1.19-10.5.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", reference:"cups-serial-1.1.19-10.5.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64cups2-1.1.19-10.5.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64cups2-devel-1.1.19-10.5.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libcups2-1.1.19-10.5.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libcups2-devel-1.1.19-10.5.92mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-013.NASL
    descriptionUpdated CUPS packages that fix several security issues are now available. The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. A buffer overflow was found in the CUPS pdftops filter, which uses code from the Xpdf package. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id16146
    published2005-01-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/16146
    titleRHEL 3 : cups (RHSA-2005:013)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:013. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16146);
      script_version ("1.25");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2004-1125", "CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270");
      script_xref(name:"RHSA", value:"2005:013");
    
      script_name(english:"RHEL 3 : cups (RHSA-2005:013)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated CUPS packages that fix several security issues are now
    available.
    
    The Common UNIX Printing System provides a portable printing layer for
    UNIX(R) operating systems.
    
    A buffer overflow was found in the CUPS pdftops filter, which uses
    code from the Xpdf package. An attacker who has the ability to send a
    malicious PDF file to a printer could possibly execute arbitrary code
    as the 'lp' user. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2004-1125 to this issue.
    
    A buffer overflow was found in the ParseCommand function in the
    hpgltops program. An attacker who has the ability to send a malicious
    HPGL file to a printer could possibly execute arbitrary code as the
    'lp' user. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2004-1267 to this issue.
    
    Red Hat believes that the Exec-Shield technology (enabled by default
    since Update 3) will block attempts to exploit these buffer overflow
    vulnerabilities on x86 architectures.
    
    The lppasswd utility ignores write errors when modifying the CUPS
    passwd file. A local user who is able to fill the associated file
    system could corrupt the CUPS password file or prevent future uses of
    lppasswd. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the names CVE-2004-1268 and CVE-2004-1269
    to these issues.
    
    The lppasswd utility does not verify that the passwd.new file is
    different from STDERR, which could allow local users to control output
    to passwd.new via certain user input that triggers an error message.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2004-1270 to this issue.
    
    In addition to these security issues, two other problems not relating
    to security have been fixed :
    
    Resuming a job with 'lp -H resume', which had previously been held
    with 'lp -H hold' could cause the scheduler to stop. This has been
    fixed in later versions of CUPS, and has been backported in these
    updated packages.
    
    The cancel-cups(1) man page is a symbolic link to another man page.
    The target of this link has been corrected.
    
    All users of cups should upgrade to these updated packages, which
    resolve these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1125"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1267"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1268"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1269"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1270"
      );
      # http://www.cups.org/str.php?L1023
      script_set_attribute(
        attribute:"see_also",
        value:"https://github.com/apple/cups/issues/1023"
      );
      # http://www.cups.org/str.php?L1024
      script_set_attribute(
        attribute:"see_also",
        value:"https://github.com/apple/cups/issues/1024"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:013"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected cups, cups-devel and / or cups-libs packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:013";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL3", reference:"cups-1.1.17-13.3.22")) flag++;
      if (rpm_check(release:"RHEL3", reference:"cups-devel-1.1.17-13.3.22")) flag++;
      if (rpm_check(release:"RHEL3", reference:"cups-libs-1.1.17-13.3.22")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-devel / cups-libs");
      }
    }
    
  • NASL familyMisc.
    NASL idCUPS_MULTIPLE_VULNERABILITIES.NASL
    descriptionAccording to its banner, the version of CUPS installed on the remote host is between 1.0.4 and 1.1.22 inclusive. Such versions are prone to multiple vulnerabilities : - A remotely exploitable buffer overflow in the
    last seen2020-06-01
    modified2020-06-02
    plugin id16141
    published2005-01-12
    reporterThis script is Copyright (C) 2005-2018 George A. Theall
    sourcehttps://www.tenable.com/plugins/nessus/16141
    titleCUPS < 1.1.23 Multiple Vulnerabilities
    code
    #
    # This script was written by George A. Theall, <[email protected]>.
    #
    # See the Nessus Scripts License for details.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16141);
      script_version("1.26");
      script_cvs_date("Date: 2018/07/06 11:26:08");
    
      script_cve_id(
        "CVE-2004-1267",
        "CVE-2004-1268",
        "CVE-2004-1269",
        "CVE-2004-1270",
        "CVE-2005-2874"
      );
      script_bugtraq_id(11968, 12004, 12005, 12007, 12200, 14265);
      script_xref(name:"FLSA", value:"FEDORA-2004-559");
      script_xref(name:"FLSA", value:"FEDORA-2004-560");
      script_xref(name:"GLSA", value:"GLSA-200412-25");
    
      script_name(english:"CUPS < 1.1.23 Multiple Vulnerabilities");
      script_summary(english:"Checks version of CUPS");
    
      script_set_attribute(attribute:"synopsis", value:"The remote print service is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of CUPS installed on the remote
    host is between 1.0.4 and 1.1.22 inclusive. Such versions are prone to
    multiple vulnerabilities :
    
      - A remotely exploitable buffer overflow in the 'hpgltops'
        filter that enable specially crafted HPGL files can
        execute arbitrary commands as the CUPS 'lp' account.
    
      - A local user may be able to prevent anyone from changing
        their password until a temporary copy of the new
        password
        file is cleaned up (lppasswd flaw).
    
      - A local user may be able to add arbitrary content to the
        password file by closing the stderr file descriptor
        while running lppasswd (lppasswd flaw).
    
      - A local attacker may be able to truncate the CUPS
        password file, thereby denying service to valid clients
        using digest authentication. (lppasswd flaw).
    
      - The application applies ACLs to incoming print jobs in a
        case-sensitive fashion. Thus, an attacker can bypass
        restrictions by changing the case in printer names when
        submitting jobs. [Fixed in 1.1.21.]");
      script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L700");
      script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L1024");
      script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L1023");
      script_set_attribute(attribute:"solution", value:"Upgrade to CUPS 1.1.23 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/12");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:cups");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2018 George A. Theall");
      script_family(english:"Misc.");
    
      script_dependencie("http_version.nasl");
      script_require_keys("www/cups", "Settings/ParanoidReport");
      script_require_ports("Services/www", 631);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    # nb: banner checks of open source software are prone to false-
    #     positives so only run the check if reporting is paranoid.
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    if (!get_kb_item("www/cups")) exit(1, "The 'www/cups' KB item is missing.");
    
    port = get_http_port(default:631, embedded: 1);
    
    
    # Check the version in the banner.
    banner = get_http_banner(port:port);
    if (!banner) exit(1, "Failed to retrieve the banner from the web server on port "+ port +".");
    
    banner = strstr(banner, "Server:");
    banner = banner - strstr(banner, '\r\n');
    if (!ereg(pattern:"^Server:.*CUPS($|/)", string:banner))
      exit(0, "The banner from port "+port+" is not from CUPS.");
    if (!ereg(pattern:"CUPS/[0-9]", string:banner))
      exit(0, "The CUPS server on port "+port+" does not include its version in the banner.");
    
    version = strstr(banner, "CUPS/") - "CUPS/";
    if (" " >< version) version = version - strstr(version, " ");
    if (version =~ "^1\.(0|1\.(1|2[0-2]))($|[^0-9])")
    {
      if (report_verbosity > 0)
      {
        report = '\n' +
          'CUPS version ' + version + ' appears to be running on the remote host based\n' +
          'on the following Server response header :\n' +
          '\n'+
          '  ' + banner + '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else if (version =~ "^(1|1\.3)($|[^0-9.])") exit(1, "The banner from the CUPS server listening on port "+port+" - "+banner+" - is not granular enough to make a determination.");
    else exit(0, "CUPS version "+ version + " is listening on port "+port+" and thus not affected.");
    

Oval

accepted2013-04-29T04:20:09.137-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionlppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail.
familyunix
idoval:org.mitre.oval:def:9545
statusaccepted
submitted2010-07-09T03:56:16-04:00
titlelppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail.
version26

Redhat

advisories
  • rhsa
    idRHSA-2005:013
  • rhsa
    idRHSA-2005:053
rpms
  • cups-1:1.1.17-13.3.22
  • cups-debuginfo-1:1.1.17-13.3.22
  • cups-devel-1:1.1.17-13.3.22
  • cups-libs-1:1.1.17-13.3.22
  • cups-1:1.1.22-0.rc1.9.6
  • cups-debuginfo-1:1.1.22-0.rc1.9.6
  • cups-devel-1:1.1.22-0.rc1.9.6
  • cups-libs-1:1.1.22-0.rc1.9.6