Vulnerabilities > CVE-2008-5286 - Numeric Errors vulnerability in Apple Cups

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
apple
CWE-189
nessus

Summary

Integer overflow in the _cupsImageReadPNG function in CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMisc.
    NASL idCUPS_1_3_10.NASL
    descriptionAccording to its banner, the version of CUPS installed on the remote host is earlier than 1.3.10. Such versions are affected by several issues : - A potential integer overflow in the PNG image validation code in
    last seen2020-06-01
    modified2020-06-02
    plugin id36183
    published2009-04-17
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36183
    titleCUPS < 1.3.10 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(36183);
      script_version("1.24");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id(
        "CVE-2008-5286",
        "CVE-2009-0163",
        "CVE-2009-0164",
        "CVE-2009-0195",
        "CVE-2009-0949"
      );
      script_bugtraq_id(32518, 34571, 34665, 34791, 35169);
      script_xref(name:"Secunia", value:"34481");
    
      script_name(english:"CUPS < 1.3.10 Multiple Vulnerabilities");
      script_summary(english:"Checks CUPS server version");
    
      script_set_attribute(attribute:"synopsis", value:"The remote printer service is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of CUPS installed on the remote
    host is earlier than 1.3.10. Such versions are affected by several
    issues :
    
      - A potential integer overflow in the PNG image validation
        code in '_cupsImageReadPNG()' could allow an attacker to
        crash the affected service or possibly execute arbitrary
        code. (STR #2974)
    
      - A heap-based integer overflow exists in
        '_cupsImageReadTIFF()' due to a failure to properly
        validate the image height of a specially crafted TIFF
        file, which can be leveraged to execute arbitrary code.
        (STR #3031)
    
      - The web interface may be vulnerable to DNS rebinding
        attacks due to a failure to validate the HTTP Host
        header in incoming requests. (STR #3118)
    
      - A heap-based buffer overflow in pdftops allows remote
        attackers to execute arbitrary code via a PDF file with
        crafted JBIG2 symbol dictionary segments.
        (CVE-2009-0195)
    
      - Flawed 'ip' structure initialization in the function
        'ippReadIO()' could allow an anonymous remote attacker
        to crash the application via a malicious IPP request
        packet with two consecutives IPP_TAG_UNSUPPORTED tags.
        (CVE-2009-0949)");
    
      script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L2974");
      script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L3031");
      script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L3118");
      script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2009-18/");
      script_set_attribute(attribute:"see_also", value:"http://www.coresecurity.com/content/AppleCUPS-null-pointer-vulnerability");
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/504032/30/0/threaded");
      script_set_attribute(attribute:"see_also", value:"http://www.cups.org/articles.php?L582");
      script_set_attribute(attribute:"solution", value:"Upgrade to CUPS version 1.3.10 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(20, 119, 189, 399);
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/17");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:cups");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("http_version.nasl", "cups_1_3_5.nasl");
      script_require_keys("www/cups", "Settings/ParanoidReport");
      script_require_ports("Services/www", 631);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:631, embedded:TRUE);
    get_kb_item_or_exit("www/"+port+"/cups/running");
    
    version = get_kb_item_or_exit("cups/"+port+"/version");
    source  = get_kb_item_or_exit("cups/"+port+"/source");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    if (
      version =~ "^1\.([0-2]|3\.[0-9])($|[^0-9])" ||
      version =~ "^1\.3(rc|b)"
    )
    {
      if (report_verbosity > 0)
      {
        report = '\n  Version source    : ' + source +
                 '\n  Installed version : ' + version +
                 '\n  Fixed version     : 1.3.10\n';
    
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else if (version =~ "^(1|1\.3)($|[^0-9.])") audit(AUDIT_VER_NOT_GRANULAR, "CUPS", port, version);
    else audit(AUDIT_LISTEN_NOT_VULN, "CUPS", port, version);
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-1028.NASL
    descriptionFrom Red Hat Security Advisory 2008:1028 : Updated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX(r) Printing System (CUPS) provides a portable printing layer for UNIX operating systems. An integer overflow flaw, leading to a heap buffer overflow, was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image-converting filters,
    last seen2020-06-01
    modified2020-06-02
    plugin id67775
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67775
    titleOracle Linux 3 : cups (ELSA-2008-1028)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2008:1028 and 
    # Oracle Linux Security Advisory ELSA-2008-1028 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(67775);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:07");
    
      script_cve_id("CVE-2008-1722", "CVE-2008-5286");
      script_bugtraq_id(32518);
      script_xref(name:"RHSA", value:"2008:1028");
    
      script_name(english:"Oracle Linux 3 : cups (ELSA-2008-1028)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2008:1028 :
    
    Updated cups packages that fix a security issue are now available for
    Red Hat Enterprise Linux 3.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The Common UNIX(r) Printing System (CUPS) provides a portable printing
    layer for UNIX operating systems.
    
    An integer overflow flaw, leading to a heap buffer overflow, was
    discovered in the Portable Network Graphics (PNG) decoding routines
    used by the CUPS image-converting filters, 'imagetops' and
    'imagetoraster'. An attacker could create a malicious PNG file that
    could, potentially, execute arbitrary code as the 'lp' user if the
    file was printed. (CVE-2008-5286)
    
    CUPS users should upgrade to these updated packages, which contain a
    backported patch to correct this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2008-December/000833.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cups packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:cups-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:cups-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/04/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 3", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"cups-1.1.17-13.3.55")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"cups-1.1.17-13.3.55")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"cups-devel-1.1.17-13.3.55")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"cups-devel-1.1.17-13.3.55")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"cups-libs-1.1.17-13.3.55")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"cups-libs-1.1.17-13.3.55")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-devel / cups-libs");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_87106B67BE1311DDA5780030843D3802.NASL
    descriptionCUPS reports : The PNG image reading code did not validate the image size properly, leading to a potential buffer overflow (STR #2974)
    last seen2020-06-01
    modified2020-06-02
    plugin id34980
    published2008-12-01
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34980
    titleFreeBSD : cups -- potential buffer overflow in PNG reading code (87106b67-be13-11dd-a578-0030843d3802)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34980);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:39");
    
      script_cve_id("CVE-2008-5286");
    
      script_name(english:"FreeBSD : cups -- potential buffer overflow in PNG reading code (87106b67-be13-11dd-a578-0030843d3802)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CUPS reports :
    
    The PNG image reading code did not validate the image size properly,
    leading to a potential buffer overflow (STR #2974)"
      );
      # http://www.cups.org/str.php?L2974
      script_set_attribute(
        attribute:"see_also",
        value:"https://github.com/apple/cups/issues/2974"
      );
      # http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.hotels-of-london.com/easyswcom/"
      );
      # http://www.openwall.com/lists/oss-security/2008/11/25/2
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.openwall.com/lists/oss-security/2008/11/25/2"
      );
      # https://vuxml.freebsd.org/freebsd/87106b67-be13-11dd-a578-0030843d3802.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d516d58d"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:cups-base");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/10/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"cups-base<1.3.9_2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-1028.NASL
    descriptionUpdated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX(r) Printing System (CUPS) provides a portable printing layer for UNIX operating systems. An integer overflow flaw, leading to a heap buffer overflow, was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image-converting filters,
    last seen2020-06-01
    modified2020-06-02
    plugin id35182
    published2008-12-16
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35182
    titleRHEL 3 : cups (RHSA-2008:1028)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:1028. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35182);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:13");
    
      script_cve_id("CVE-2008-1722", "CVE-2008-5286");
      script_bugtraq_id(32518);
      script_xref(name:"RHSA", value:"2008:1028");
    
      script_name(english:"RHEL 3 : cups (RHSA-2008:1028)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated cups packages that fix a security issue are now available for
    Red Hat Enterprise Linux 3.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The Common UNIX(r) Printing System (CUPS) provides a portable printing
    layer for UNIX operating systems.
    
    An integer overflow flaw, leading to a heap buffer overflow, was
    discovered in the Portable Network Graphics (PNG) decoding routines
    used by the CUPS image-converting filters, 'imagetops' and
    'imagetoraster'. An attacker could create a malicious PNG file that
    could, potentially, execute arbitrary code as the 'lp' user if the
    file was printed. (CVE-2008-5286)
    
    CUPS users should upgrade to these updated packages, which contain a
    backported patch to correct this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-5286"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2008:1028"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected cups, cups-devel and / or cups-libs packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/04/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2008:1028";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL3", reference:"cups-1.1.17-13.3.55")) flag++;
      if (rpm_check(release:"RHEL3", reference:"cups-devel-1.1.17-13.3.55")) flag++;
      if (rpm_check(release:"RHEL3", reference:"cups-libs-1.1.17-13.3.55")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-devel / cups-libs");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-1028.NASL
    descriptionUpdated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX(r) Printing System (CUPS) provides a portable printing layer for UNIX operating systems. An integer overflow flaw, leading to a heap buffer overflow, was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image-converting filters,
    last seen2020-06-01
    modified2020-06-02
    plugin id35173
    published2008-12-16
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35173
    titleCentOS 3 : cups (CESA-2008:1028)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:1028 and 
    # CentOS Errata and Security Advisory 2008:1028 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35173);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/25 13:36:04");
    
      script_cve_id("CVE-2008-1722", "CVE-2008-5286");
      script_bugtraq_id(32518);
      script_xref(name:"RHSA", value:"2008:1028");
    
      script_name(english:"CentOS 3 : cups (CESA-2008:1028)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated cups packages that fix a security issue are now available for
    Red Hat Enterprise Linux 3.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The Common UNIX(r) Printing System (CUPS) provides a portable printing
    layer for UNIX operating systems.
    
    An integer overflow flaw, leading to a heap buffer overflow, was
    discovered in the Portable Network Graphics (PNG) decoding routines
    used by the CUPS image-converting filters, 'imagetops' and
    'imagetoraster'. An attacker could create a malicious PNG file that
    could, potentially, execute arbitrary code as the 'lp' user if the
    file was printed. (CVE-2008-5286)
    
    CUPS users should upgrade to these updated packages, which contain a
    backported patch to correct this issue."
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-December/015475.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0addf563"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-December/015484.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c927ca7c"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-December/015485.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ef79a0d7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cups packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/04/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"cups-1.1.17-13.3.55")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"cups-devel-1.1.17-13.3.55")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"cups-libs-1.1.17-13.3.55")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-devel / cups-libs");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20081215_CUPS_ON_SL3_X.NASL
    descriptionA NULL pointer dereference flaw was found in the way CUPS handled subscriptions for printing job completion notifications. A local user could use this flaw to crash the CUPS daemon by submitting a large number of printing jobs requiring mail notification on completion, leading to a denial of service. (CVE-2008-5183) An integer overflow flaw, leading to a heap buffer overflow, was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image-converting filters,
    last seen2020-06-01
    modified2020-06-02
    plugin id60503
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60503
    titleScientific Linux Security Update : cups on SL3.x, SL5.x i386/x86_64
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(60503);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/25 13:36:18");
    
      script_cve_id("CVE-2008-5183", "CVE-2008-5286");
    
      script_name(english:"Scientific Linux Security Update : cups on SL3.x, SL5.x i386/x86_64");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A NULL pointer dereference flaw was found in the way CUPS handled
    subscriptions for printing job completion notifications. A local user
    could use this flaw to crash the CUPS daemon by submitting a large
    number of printing jobs requiring mail notification on completion,
    leading to a denial of service. (CVE-2008-5183)
    
    An integer overflow flaw, leading to a heap buffer overflow, was
    discovered in the Portable Network Graphics (PNG) decoding routines
    used by the CUPS image-converting filters, 'imagetops' and
    'imagetoraster'. An attacker could create a malicious PNG file that
    could, potentially, execute arbitrary code as the 'lp' user if the
    file was printed. (CVE-2008-5286)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0812&L=scientific-linux-errata&T=0&P=899
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7a0fa517"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL3", reference:"cups-1.1.17-13.3.55")) flag++;
    if (rpm_check(release:"SL3", reference:"cups-devel-1.1.17-13.3.55")) flag++;
    if (rpm_check(release:"SL3", reference:"cups-libs-1.1.17-13.3.55")) flag++;
    
    if (rpm_check(release:"SL5", reference:"cups-1.2.4-11.18.el5_2.3")) flag++;
    if (rpm_check(release:"SL5", reference:"cups-devel-1.2.4-11.18.el5_2.3")) flag++;
    if (rpm_check(release:"SL5", reference:"cups-libs-1.2.4-11.18.el5_2.3")) flag++;
    if (rpm_check(release:"SL5", reference:"cups-lpd-1.2.4-11.18.el5_2.3")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-028.NASL
    descriptionSecurity vulnerabilities have been discovered and corrected in CUPS. CUPS before 1.3.8 allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference (CVE-2008-5183). The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions (CVE-2008-5184). CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow (CVE-2008-5286). CUPS shipped with Mandriva Linux allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file (CVE-2009-0032). The updated packages have been patched to prevent this.
    last seen2020-06-01
    modified2020-06-02
    plugin id36414
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36414
    titleMandriva Linux Security Advisory : cups (MDVSA-2009:028)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2009:028. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(36414);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:51");
    
      script_cve_id("CVE-2008-5183", "CVE-2008-5184", "CVE-2008-5286", "CVE-2009-0032");
      script_bugtraq_id(32419, 32518);
      script_xref(name:"MDVSA", value:"2009:028");
    
      script_name(english:"Mandriva Linux Security Advisory : cups (MDVSA-2009:028)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security vulnerabilities have been discovered and corrected in CUPS.
    
    CUPS before 1.3.8 allows local users, and possibly remote attackers,
    to cause a denial of service (daemon crash) by adding a large number
    of RSS Subscriptions, which triggers a NULL pointer dereference
    (CVE-2008-5183).
    
    The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the
    guest username when a user is not logged on to the web server, which
    makes it easier for remote attackers to bypass intended policy and
    conduct CSRF attacks via the (1) add and (2) cancel RSS subscription
    functions (CVE-2008-5184).
    
    CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary
    code via a PNG image with a large height value, which bypasses a
    validation check and triggers a buffer overflow (CVE-2008-5286).
    
    CUPS shipped with Mandriva Linux allows local users to overwrite
    arbitrary files via a symlink attack on the /tmp/pdf.log temporary
    file (CVE-2009-0032).
    
    The updated packages have been patched to prevent this."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(59, 189, 255, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups-serial");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cups2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cups2-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libcups2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libcups2-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cups");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/01/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.0", reference:"cups-1.3.6-1.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"cups-common-1.3.6-1.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"cups-serial-1.3.6-1.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64cups2-1.3.6-1.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64cups2-devel-1.3.6-1.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libcups2-1.3.6-1.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libcups2-devel-1.3.6-1.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"php-cups-1.3.6-1.4mdv2008.0", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2008.1", reference:"cups-1.3.6-5.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"cups-common-1.3.6-5.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"cups-serial-1.3.6-5.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64cups2-1.3.6-5.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64cups2-devel-1.3.6-5.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libcups2-1.3.6-5.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libcups2-devel-1.3.6-5.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"php-cups-1.3.6-5.3mdv2008.1", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200812-11.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200812-11 (CUPS: Multiple vulnerabilities) Several buffer overflows were found in: The read_rle16 function in imagetops (CVE-2008-3639, found by regenrecht, reported via ZDI) The WriteProlog function in texttops (CVE-2008-3640, found by regenrecht, reported via ZDI) The Hewlett-Packard Graphics Language (HPGL) filter (CVE-2008-3641, found by regenrecht, reported via iDefense) The _cupsImageReadPNG function (CVE-2008-5286, reported by iljavs) Impact : A remote attacker could send specially crafted input to a vulnerable server, resulting in the remote execution of arbitrary code with the privileges of the user running the server. Workaround : None this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id35086
    published2008-12-11
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35086
    titleGLSA-200812-11 : CUPS: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200812-11.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35086);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:45");
    
      script_cve_id("CVE-2008-3639", "CVE-2008-3640", "CVE-2008-3641", "CVE-2008-5286");
      script_bugtraq_id(31688, 31690, 32518);
      script_xref(name:"GLSA", value:"200812-11");
    
      script_name(english:"GLSA-200812-11 : CUPS: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200812-11
    (CUPS: Multiple vulnerabilities)
    
        Several buffer overflows were found in:
        The read_rle16 function in imagetops (CVE-2008-3639, found by
        regenrecht, reported via ZDI)
        The WriteProlog function in texttops (CVE-2008-3640, found by
        regenrecht, reported via ZDI)
        The Hewlett-Packard Graphics Language (HPGL) filter (CVE-2008-3641,
        found by regenrecht, reported via iDefense)
        The _cupsImageReadPNG function (CVE-2008-5286, reported by iljavs)
      
    Impact :
    
        A remote attacker could send specially crafted input to a vulnerable
        server, resulting in the remote execution of arbitrary code with the
        privileges of the user running the server.
      
    Workaround :
    
        None this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200812-11"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All CUPS users should upgrade to the latest version.
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-print/cups-1.3.9-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(119, 189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:cups");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/11");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-print/cups", unaffected:make_list("ge 1.3.9-r1"), vulnerable:make_list("lt 1.3.9-r1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "CUPS");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_CUPS-5838.NASL
    descriptionPrevious updates for the PNG and HPGL filters were incomplete and are corrected now (CVE-2008-3641, CVE-2008-5286).
    last seen2020-06-01
    modified2020-06-02
    plugin id35368
    published2009-01-14
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35368
    titleopenSUSE 10 Security Update : cups (cups-5838)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update cups-5838.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35368);
      script_version ("1.10");
      script_cvs_date("Date: 2019/10/25 13:36:32");
    
      script_cve_id("CVE-2008-3641", "CVE-2008-5286");
    
      script_name(english:"openSUSE 10 Security Update : cups (cups-5838)");
      script_summary(english:"Check for the cups-5838 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Previous updates for the PNG and HPGL filters were incomplete and are
    corrected now (CVE-2008-3641, CVE-2008-5286)."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cups packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-libs-32bit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/01/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.3", reference:"cups-1.2.12-22.19") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"cups-client-1.2.12-22.19") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"cups-devel-1.2.12-22.19") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"cups-libs-1.2.12-22.19") ) flag++;
    if ( rpm_check(release:"SUSE10.3", cpu:"x86_64", reference:"cups-libs-32bit-1.2.12-22.19") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-client / cups-devel / cups-libs / cups-libs-32bit");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_CUPS-5845.NASL
    descriptionPrevious updates for the PNG and HPGL filters were incomplete and are corrected now. (CVE-2008-3641 / CVE-2008-5286)
    last seen2020-06-01
    modified2020-06-02
    plugin id41493
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41493
    titleSuSE 10 Security Update : Cups (ZYPP Patch Number 5845)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41493);
      script_version ("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:32");
    
      script_cve_id("CVE-2008-3641", "CVE-2008-5286");
    
      script_name(english:"SuSE 10 Security Update : Cups (ZYPP Patch Number 5845)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Previous updates for the PNG and HPGL filters were incomplete and are
    corrected now. (CVE-2008-3641 / CVE-2008-5286)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-3641.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-5286.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 5845.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:2, reference:"cups-1.1.23-40.49")) flag++;
    if (rpm_check(release:"SLED10", sp:2, reference:"cups-client-1.1.23-40.49")) flag++;
    if (rpm_check(release:"SLED10", sp:2, reference:"cups-devel-1.1.23-40.49")) flag++;
    if (rpm_check(release:"SLED10", sp:2, reference:"cups-libs-1.1.23-40.49")) flag++;
    if (rpm_check(release:"SLED10", sp:2, cpu:"x86_64", reference:"cups-libs-32bit-1.1.23-40.49")) flag++;
    if (rpm_check(release:"SLES10", sp:2, reference:"cups-1.1.23-40.49")) flag++;
    if (rpm_check(release:"SLES10", sp:2, reference:"cups-client-1.1.23-40.49")) flag++;
    if (rpm_check(release:"SLES10", sp:2, reference:"cups-devel-1.1.23-40.49")) flag++;
    if (rpm_check(release:"SLES10", sp:2, reference:"cups-libs-1.1.23-40.49")) flag++;
    if (rpm_check(release:"SLES10", sp:2, cpu:"x86_64", reference:"cups-libs-32bit-1.1.23-40.49")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_CUPS-081203.NASL
    descriptionPrevious updates for the PNG and HPGL filters were incomplete and are corrected now. Also cups used a guest user account for RSS subscriptions which made it eeasier for attackers to conduct CSRF attacks. (CVE-2008-3641, CVE-2008-5184, CVE-2008-5286)
    last seen2020-06-01
    modified2020-06-02
    plugin id39943
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39943
    titleopenSUSE Security Update : cups (cups-356)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update cups-356.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(39943);
      script_version("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:31");
    
      script_cve_id("CVE-2008-3641", "CVE-2008-5184", "CVE-2008-5286");
    
      script_name(english:"openSUSE Security Update : cups (cups-356)");
      script_summary(english:"Check for the cups-356 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Previous updates for the PNG and HPGL filters were incomplete and are
    corrected now. Also cups used a guest user account for RSS
    subscriptions which made it eeasier for attackers to conduct CSRF
    attacks. (CVE-2008-3641, CVE-2008-5184, CVE-2008-5286)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=430543"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=446975"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=448631"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cups packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(189, 255, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-libs-32bit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.0", reference:"cups-1.3.7-25.6") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"cups-client-1.3.7-25.6") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"cups-devel-1.3.7-25.6") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"cups-libs-1.3.7-25.6") ) flag++;
    if ( rpm_check(release:"SUSE11.0", cpu:"x86_64", reference:"cups-libs-32bit-1.3.7-25.6") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-client / cups-devel / cups-libs / cups-libs-32bit");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-707-1.NASL
    descriptionIt was discovered that CUPS didn
    last seen2020-06-01
    modified2020-06-02
    plugin id38132
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38132
    titleUbuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : cups, cupsys vulnerabilities (USN-707-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-707-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(38132);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:33:02");
    
      script_cve_id("CVE-2008-5183", "CVE-2008-5184", "CVE-2008-5286", "CVE-2008-5377");
      script_bugtraq_id(32419, 32518);
      script_xref(name:"USN", value:"707-1");
    
      script_name(english:"Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : cups, cupsys vulnerabilities (USN-707-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that CUPS didn't properly handle adding a large
    number of RSS subscriptions. A local user could exploit this and cause
    CUPS to crash, leading to a denial of service. This issue only applied
    to Ubuntu 7.10, 8.04 LTS and 8.10. (CVE-2008-5183)
    
    It was discovered that CUPS did not authenticate users when adding and
    cancelling RSS subscriptions. An unprivileged local user could bypass
    intended restrictions and add a large number of RSS subscriptions.
    This issue only applied to Ubuntu 7.10 and 8.04 LTS. (CVE-2008-5184)
    
    It was discovered that the PNG filter in CUPS did not properly handle
    certain malformed images. If a user or automated system were tricked
    into opening a crafted PNG image file, a remote attacker could cause a
    denial of service or execute arbitrary code with user privileges. In
    Ubuntu 7.10, 8.04 LTS, and 8.10, attackers would be isolated by the
    AppArmor CUPS profile. (CVE-2008-5286)
    
    It was discovered that the example pstopdf CUPS filter created log
    files in an insecure way. Local users could exploit a race condition
    to create or overwrite files with the privileges of the user invoking
    the program. This issue only applied to Ubuntu 6.06 LTS, 7.10, and
    8.04 LTS. (CVE-2008-5377).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/707-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(59, 189, 255, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-bsd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys-bsd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcups2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcups2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsimage2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsimage2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsys2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsys2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsys2-gnutls10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/01/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(6\.06|7\.10|8\.04|8\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 7.10 / 8.04 / 8.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"6.06", pkgname:"cupsys", pkgver:"1.2.2-0ubuntu0.6.06.12")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"cupsys-bsd", pkgver:"1.2.2-0ubuntu0.6.06.12")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"cupsys-client", pkgver:"1.2.2-0ubuntu0.6.06.12")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libcupsimage2", pkgver:"1.2.2-0ubuntu0.6.06.12")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libcupsimage2-dev", pkgver:"1.2.2-0ubuntu0.6.06.12")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libcupsys2", pkgver:"1.2.2-0ubuntu0.6.06.12")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libcupsys2-dev", pkgver:"1.2.2-0ubuntu0.6.06.12")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libcupsys2-gnutls10", pkgver:"1.2.2-0ubuntu0.6.06.12")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"cupsys", pkgver:"1.3.2-1ubuntu7.9")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"cupsys-bsd", pkgver:"1.3.2-1ubuntu7.9")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"cupsys-client", pkgver:"1.3.2-1ubuntu7.9")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"cupsys-common", pkgver:"1.3.2-1ubuntu7.9")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"libcupsimage2", pkgver:"1.3.2-1ubuntu7.9")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"libcupsimage2-dev", pkgver:"1.3.2-1ubuntu7.9")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"libcupsys2", pkgver:"1.3.2-1ubuntu7.9")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"libcupsys2-dev", pkgver:"1.3.2-1ubuntu7.9")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"cupsys", pkgver:"1.3.7-1ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"cupsys-bsd", pkgver:"1.3.7-1ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"cupsys-client", pkgver:"1.3.7-1ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"cupsys-common", pkgver:"1.3.7-1ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libcupsimage2", pkgver:"1.3.7-1ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libcupsimage2-dev", pkgver:"1.3.7-1ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libcupsys2", pkgver:"1.3.7-1ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libcupsys2-dev", pkgver:"1.3.7-1ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"cups", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"cups-bsd", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"cups-client", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"cups-common", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"cups-dbg", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"cupsys", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"cupsys-bsd", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"cupsys-client", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"cupsys-common", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"cupsys-dbg", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libcups2", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libcups2-dev", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libcupsimage2", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libcupsimage2-dev", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libcupsys2", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libcupsys2-dev", pkgver:"1.3.9-2ubuntu6.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-bsd / cups-client / cups-common / cups-dbg / cupsys / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12317.NASL
    descriptionPrevious updates for the PNG and HPGL filters were incomplete and are corrected now. (CVE-2008-3641, CVE-2008-5286)
    last seen2020-06-01
    modified2020-06-02
    plugin id41261
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41261
    titleSuSE9 Security Update : Cups (YOU Patch Number 12317)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41261);
      script_version("1.10");
      script_cvs_date("Date: 2019/10/25 13:36:31");
    
      script_cve_id("CVE-2008-3641", "CVE-2008-5286");
    
      script_name(english:"SuSE9 Security Update : Cups (YOU Patch Number 12317)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 9 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Previous updates for the PNG and HPGL filters were incomplete and are
    corrected now. (CVE-2008-3641, CVE-2008-5286)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-3641.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-5286.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12317.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SUSE9", reference:"cups-1.1.20-108.56")) flag++;
    if (rpm_check(release:"SUSE9", reference:"cups-client-1.1.20-108.56")) flag++;
    if (rpm_check(release:"SUSE9", reference:"cups-devel-1.1.20-108.56")) flag++;
    if (rpm_check(release:"SUSE9", reference:"cups-libs-1.1.20-108.56")) flag++;
    if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"cups-libs-32bit-9-200812030152")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1677.NASL
    descriptionAn integer overflow has been discovered in the image validation code of cupsys, the Common UNIX Printing System. An attacker could trigger this bug by supplying a malicious graphic that could lead to the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id35011
    published2008-12-03
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35011
    titleDebian DSA-1677-1 : cupsys - integer overflow
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1677. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35011);
      script_version("1.11");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2008-5286");
      script_bugtraq_id(32518);
      script_xref(name:"DSA", value:"1677");
    
      script_name(english:"Debian DSA-1677-1 : cupsys - integer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An integer overflow has been discovered in the image validation code
    of cupsys, the Common UNIX Printing System. An attacker could trigger
    this bug by supplying a malicious graphic that could lead to the
    execution of arbitrary code."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507183"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2008/dsa-1677"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the cupsys packages.
    
    For the stable distribution (etch) this problem has been fixed in
    version 1.2.7-4etch6.
    
    For testing distribution (lenny) this issue will be fixed soon."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cupsys");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"cupsys", reference:"1.2.7-4etch6")) flag++;
    if (deb_check(release:"4.0", prefix:"cupsys-bsd", reference:"1.2.7-4etch6")) flag++;
    if (deb_check(release:"4.0", prefix:"cupsys-client", reference:"1.2.7-4etch6")) flag++;
    if (deb_check(release:"4.0", prefix:"cupsys-common", reference:"1.2.7-4etch6")) flag++;
    if (deb_check(release:"4.0", prefix:"cupsys-dbg", reference:"1.2.7-4etch6")) flag++;
    if (deb_check(release:"4.0", prefix:"libcupsimage2", reference:"1.2.7-4etch6")) flag++;
    if (deb_check(release:"4.0", prefix:"libcupsimage2-dev", reference:"1.2.7-4etch6")) flag++;
    if (deb_check(release:"4.0", prefix:"libcupsys2", reference:"1.2.7-4etch6")) flag++;
    if (deb_check(release:"4.0", prefix:"libcupsys2-dev", reference:"1.2.7-4etch6")) flag++;
    if (deb_check(release:"4.0", prefix:"libcupsys2-gnutls10", reference:"1.2.7-4etch6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Oval

accepted2013-04-29T04:01:01.012-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionInteger overflow in the _cupsImageReadPNG function in CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow.
familyunix
idoval:org.mitre.oval:def:10058
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleInteger overflow in the _cupsImageReadPNG function in CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow.
version26

Redhat

advisories
rhsa
idRHSA-2008:1028
rpms
  • cups-1:1.1.17-13.3.55
  • cups-debuginfo-1:1.1.17-13.3.55
  • cups-devel-1:1.1.17-13.3.55
  • cups-libs-1:1.1.17-13.3.55