Vulnerabilities > CVE-2010-0302 - Use After Free vulnerability in multiple products
Summary
Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2010-3693.NASL description This update fixes a denial of service security issue (CVE-2010-0302). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47324 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47324 title Fedora 13 : cups-1.4.2-34.fc13 (2010-3693) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2010-3693. # include("compat.inc"); if (description) { script_id(47324); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:32"); script_cve_id("CVE-2009-3553", "CVE-2010-0302"); script_bugtraq_id(37048, 38510); script_xref(name:"FEDORA", value:"2010-3693"); script_name(english:"Fedora 13 : cups-1.4.2-34.fc13 (2010-3693)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update fixes a denial of service security issue (CVE-2010-0302). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=557775" ); # https://lists.fedoraproject.org/pipermail/package-announce/2010-March/037027.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b7805199" ); script_set_attribute(attribute:"solution", value:"Update the affected cups package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:cups"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:13"); script_set_attribute(attribute:"patch_publication_date", value:"2010/03/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^13([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 13.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC13", reference:"cups-1.4.2-34.fc13")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups"); }
NASL family Misc. NASL id CUPS_1_4_4.NASL description According to its banner, the version of CUPS installed on the remote host is earlier than 1.4.4. Such versions are affected by several vulnerabilities : - The patch for STR #3200 / CVE-2009-3553 was not complete. A remote client can cause a denial of service by causing the CUPS server to reference an already freed resource. (STR #3490) (CVE-2010-0302) - The CUPS daemon may be vulnerable to certain cross-site request forgery (CSRF) attacks, e.g., malicious IFRAME attacks. (STR #3498) (CVE-2010-0540) - An unprivileged process may be able to cause the CUPS server to overwrite arbitrary files as the root user. (STR #3510) (CVE-2010-2431) - The CUPS daemon is vulnerable to a heap corruption attack as the last seen 2020-06-01 modified 2020-06-02 plugin id 47683 published 2010-07-08 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47683 title CUPS < 1.4.4 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(47683); script_version("1.12"); script_cvs_date("Date: 2018/07/06 11:26:07"); script_cve_id( "CVE-2010-0302", "CVE-2010-0540", "CVE-2010-0542", "CVE-2010-1748", "CVE-2010-2431", "CVE-2010-2432" ); script_bugtraq_id(38510, 40889, 40897, 40943, 41126, 41131); script_xref(name:"Secunia", value:"40165"); script_name(english:"CUPS < 1.4.4 Multiple Vulnerabilities"); script_summary(english:"Checks CUPS server version"); script_set_attribute(attribute:"synopsis", value:"The remote printer service is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of CUPS installed on the remote host is earlier than 1.4.4. Such versions are affected by several vulnerabilities : - The patch for STR #3200 / CVE-2009-3553 was not complete. A remote client can cause a denial of service by causing the CUPS server to reference an already freed resource. (STR #3490) (CVE-2010-0302) - The CUPS daemon may be vulnerable to certain cross-site request forgery (CSRF) attacks, e.g., malicious IFRAME attacks. (STR #3498) (CVE-2010-0540) - An unprivileged process may be able to cause the CUPS server to overwrite arbitrary files as the root user. (STR #3510) (CVE-2010-2431) - The CUPS daemon is vulnerable to a heap corruption attack as the 'textops' filter does not verify the results of memory allocations. It is possible this may lead to arbitrary code execution. (STR #3516) (CVE-2010-0542) - The CUPS daemon is vulnerable to a denial of service attack if compiled without HAVE_GSSAPI. (STR #3518) (CVE-2010-2432) - The CUPS daemon is vulnerable to an information disclosure attack as an attacker can view portions of uninitialized memory by a specially crafted URL. (STR #3577) (CVE-2010-1748)"); script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L3490"); script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L3498"); script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L3510"); script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L3516"); script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L3518"); script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L3577"); script_set_attribute(attribute:"see_also", value:"http://www.cups.org/articles.php?L596"); script_set_attribute(attribute:"solution", value:"Upgrade to CUPS version 1.4.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(399); script_set_attribute(attribute:"vuln_publication_date", value:"2010/02/03"); script_set_attribute(attribute:"patch_publication_date", value:"2010/06/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/08"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:cups"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl", "cups_1_3_5.nasl"); script_require_keys("www/cups", "Settings/ParanoidReport"); script_require_ports("Services/www", 631); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:631, embedded:TRUE); get_kb_item_or_exit("www/"+port+"/cups/running"); version = get_kb_item_or_exit("cups/"+port+"/version"); source = get_kb_item_or_exit("cups/"+port+"/source"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( version =~ "^1\.([0-3]|4\.[0-3])($|[^0-9])" || version =~ "^1\.4(rc|b)" ) { set_kb_item(name:'www/'+port+'/XSRF', value:TRUE); if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 1.4.4\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else if (version =~ "^(1|1\.4)($|[^0-9.])") audit(AUDIT_VER_NOT_GRANULAR, "CUPS", port, version); else audit(AUDIT_LISTEN_NOT_VULN, "CUPS", port, version);
NASL family Scientific Linux Local Security Checks NASL id SL_20100303_CUPS_ON_SL5_X.NASL description CVE-2010-0302 cups Incomplete fix for CVE-2009-3553 It was discovered that the cups 1.3.7-11.el5_4.4 security update did not fully correct the use-after-free flaw in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could send specially crafted queries to the CUPS server, causing it to crash. (CVE-2010-0302) After installing the update, the cupsd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 60743 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60743 title Scientific Linux Security Update : cups on SL5.x i386/x86_64 NASL family Fedora Local Security Checks NASL id FEDORA_2010-2743.NASL description This update addresses a denial of service security issue (CVE-2010-0302) as well as fixing several other small problems: * classes.conf is now updated when a class member is deleted. * the usermode dependency has been removed. * the udev rules are now installed in the correct location. * cups-config now has no multilib conflict. * the ipp backend now clears the printer status on completion. * cupsGetNamedDest() is no longer confused by old configuration files. * the scheduler no longer treats SIGPIPE as a filter error. * the gcrypt threading patch has been reverted. * the package no longer owns filesystem-owned directories. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47293 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47293 title Fedora 11 : cups-1.4.2-26.fc11 (2010-2743) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1595.NASL description Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553) Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820) Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 67076 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67076 title CentOS 5 : cups (CESA-2009:1595) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0129.NASL description Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. It was discovered that the Red Hat Security Advisory RHSA-2009:1595 did not fully correct the use-after-free flaw in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could send specially crafted queries to the CUPS server, causing it to crash. (CVE-2010-0302) Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the cupsd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 44973 published 2010-03-04 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44973 title RHEL 5 : cups (RHSA-2010:0129) NASL family Fedora Local Security Checks NASL id FEDORA_2010-3761.NASL description This update addresses a denial of service security issue (CVE-2010-0302) as well as fixing several other small problems: * classes.conf is now updated when a class member is deleted. * the usermode dependency has been removed. * the udev rules are now installed in the correct location. * cups-config now has no multilib conflict. * the ipp backend now clears the printer status on completion. * cupsGetNamedDest() is no longer confused by old configuration files. * the scheduler no longer treats SIGPIPE as a filter error. * the gcrypt threading patch has been reverted. * the package no longer owns filesystem-owned directories. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47327 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47327 title Fedora 12 : cups-1.4.2-28.fc12 (2010-3761) NASL family MacOS X Local Security Checks NASL id MACOSX_10_6_4.NASL description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.4. Mac OS X 10.6.4 contains security fixes for the following components : - CUPS - DesktopServices - Flash Player plug-in - Folder Manager - Help Viewer - iChat - ImageIO - Kerberos - Kernel - libcurl - Network Authorization - Open Directory - Printer Setup - Printing - Ruby - SMB File Server - SquirrelMail - Wiki Server last seen 2020-06-01 modified 2020-06-02 plugin id 47023 published 2010-06-15 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47023 title Mac OS X 10.6.x < 10.6.4 Multiple Vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-906-1.NASL description It was discovered that the CUPS scheduler did not properly handle certain network operations. A remote attacker could exploit this flaw and cause the CUPS server to crash, resulting in a denial of service. This issue only affected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10. (CVE-2009-3553, CVE-2010-0302) Ronald Volgers discovered that the CUPS lppasswd tool could be made to load localized message strings from arbitrary files by setting an environment variable. A local attacker could exploit this with a format-string vulnerability leading to a root privilege escalation. The default compiler options for Ubuntu 8.10, 9.04 and 9.10 should reduce this vulnerability to a denial of service. (CVE-2010-0393). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 44985 published 2010-03-04 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44985 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : cups, cupsys vulnerabilities (USN-906-1) NASL family SuSE Local Security Checks NASL id SUSE_11_CUPS-100210.NASL description lppasswd when running setuid or setgid still honors environment variables that specify the location of message files. Local attackers could exploit that to gather information by using crafted format strings. (CVE-2010-0393) The previous fix for a use-after-free vulnerability (CVE-2009-3553) was incomplete. (CVE-2010-0302) last seen 2020-06-01 modified 2020-06-02 plugin id 45105 published 2010-03-19 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45105 title SuSE 11 Security Update : CUPS (SAT Patch Number 2108) NASL family SuSE Local Security Checks NASL id SUSE_11_1_CUPS-100210.NASL description lppasswd when running setuid or setgid still honors environment variables that specify the location of message files. Local attackers could exploit that to gather information by using crafted format strings (CVE-2010-0393). The previous fix for a use-after-free vulnerability (CVE-2009-3553) was incomplete (CVE-2010-0302). last seen 2020-06-01 modified 2020-06-02 plugin id 45099 published 2010-03-19 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45099 title openSUSE Security Update : cups (cups-2102) NASL family SuSE Local Security Checks NASL id SUSE_11_2_CUPS-100305.NASL description lppasswd when running setuid or setgid still honors environment variables that specify the location of message files. Local attackers could exploit that to gather information by using crafted format strings (CVE-2010-0393). The previous fix for a use-after-free vulnerability (CVE-2009-3553) was incomplete (CVE-2010-0302). last seen 2020-06-01 modified 2020-06-02 plugin id 45102 published 2010-03-19 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45102 title openSUSE Security Update : cups (cups-2102) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1595.NASL description From Red Hat Security Advisory 2009:1595 : Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553) Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820) Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 67961 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67961 title Oracle Linux 5 : cups (ELSA-2009-1595) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0129.NASL description Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. It was discovered that the Red Hat Security Advisory RHSA-2009:1595 did not fully correct the use-after-free flaw in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could send specially crafted queries to the CUPS server, causing it to crash. (CVE-2010-0302) Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the cupsd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 45053 published 2010-03-15 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45053 title CentOS 5 : cups (CESA-2010:0129) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0129.NASL description From Red Hat Security Advisory 2010:0129 : Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. It was discovered that the Red Hat Security Advisory RHSA-2009:1595 did not fully correct the use-after-free flaw in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could send specially crafted queries to the CUPS server, causing it to crash. (CVE-2010-0302) Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the cupsd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 68006 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68006 title Oracle Linux 5 : cups (ELSA-2010-0129) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-073.NASL description Multiple vulnerabilities has been found and corrected in cups : CUPS in does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product last seen 2020-06-01 modified 2020-06-02 plugin id 45530 published 2010-04-15 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45530 title Mandriva Linux Security Advisory : cups (MDVSA-2010:073-1) NASL family SuSE Local Security Checks NASL id SUSE_11_0_CUPS-100210.NASL description lppasswd when running setuid or setgid still honors environment variables that specify the location of message files. Local attackers could exploit that to gather information by using crafted format strings (CVE-2010-0393). The previous fix for a use-after-free vulnerability (CVE-2009-3553) was incomplete (CVE-2010-0302). last seen 2020-06-01 modified 2020-06-02 plugin id 45096 published 2010-03-19 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45096 title openSUSE Security Update : cups (cups-2102) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1595.NASL description Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553) Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820) Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 42850 published 2009-11-19 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42850 title RHEL 5 : cups (RHSA-2009:1595) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2010-004.NASL description The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2010-004 applied. This security update contains fixes for the following components : - CUPS - DesktopServices - Flash Player plug-in - Folder Manager - iChat - ImageIO - Kerberos - Kernel - libcurl - Network Authorization - Ruby - SMB File Server - SquirrelMail - Wiki Server last seen 2020-06-01 modified 2020-06-02 plugin id 47024 published 2010-06-15 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47024 title Mac OS X Multiple Vulnerabilities (Security Update 2010-004) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201207-10.NASL description The remote host is affected by the vulnerability described in GLSA-201207-10 (CUPS: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in CUPS. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to execute arbitrary code using specially crafted streams, IPP requests or files, or cause a Denial of Service (daemon crash or hang). A local attacker may be able to gain escalated privileges or overwrite arbitrary files. Furthermore, a remote attacker may be able to obtain sensitive information from the CUPS process or hijack a CUPS administrator authentication request. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 59902 published 2012-07-10 reporter This script is Copyright (C) 2012-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59902 title GLSA-201207-10 : CUPS: Multiple vulnerabilities
Oval
accepted | 2013-04-29T04:12:25.705-04:00 | ||||||||||||
class | vulnerability | ||||||||||||
contributors |
| ||||||||||||
definition_extensions |
| ||||||||||||
description | Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553. | ||||||||||||
family | unix | ||||||||||||
id | oval:org.mitre.oval:def:11216 | ||||||||||||
status | accepted | ||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
title | Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553. | ||||||||||||
version | 18 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://cups.org/articles.php?L596
- http://cups.org/articles.php?L596
- http://cups.org/str.php?L3490
- http://cups.org/str.php?L3490
- http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
- http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037174.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037174.html
- http://secunia.com/advisories/38785
- http://secunia.com/advisories/38785
- http://secunia.com/advisories/38927
- http://secunia.com/advisories/38927
- http://secunia.com/advisories/38979
- http://secunia.com/advisories/38979
- http://secunia.com/advisories/40220
- http://secunia.com/advisories/40220
- http://security.gentoo.org/glsa/glsa-201207-10.xml
- http://security.gentoo.org/glsa/glsa-201207-10.xml
- http://support.apple.com/kb/HT4188
- http://support.apple.com/kb/HT4188
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:073
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:073
- http://www.securityfocus.com/bid/38510
- http://www.securityfocus.com/bid/38510
- http://www.securitytracker.com/id?1024124
- http://www.securitytracker.com/id?1024124
- http://www.ubuntu.com/usn/USN-906-1
- http://www.ubuntu.com/usn/USN-906-1
- http://www.vupen.com/english/advisories/2010/1481
- http://www.vupen.com/english/advisories/2010/1481
- https://bugzilla.redhat.com/show_bug.cgi?id=557775
- https://bugzilla.redhat.com/show_bug.cgi?id=557775
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11216
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11216
- https://rhn.redhat.com/errata/RHSA-2010-0129.html
- https://rhn.redhat.com/errata/RHSA-2010-0129.html