From security@caldera.com Thu Jan 23 03:41:20 2003 From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com, full-disclosure@lists.netsys.com Date: Mon, 20 Jan 2003 16:58:58 -0800 Reply-To: please_reply_to_security@caldera.com Subject: [Full-Disclosure] Security Update: [CSSA-2003-004.0] Linux: Multiple Security Vulnerabilities in the Common Unix Printing System (CUPS) To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com full-disclosure@lists.netsys.com ______________________________________________________________________________ SCO Security Advisory Subject: Linux: Multiple Security Vulnerabilities in the Common Unix Printing System (CUPS) Advisory number: CSSA-2003-004.0 Issue date: 2003 January 20 Cross reference: ______________________________________________________________________________ 1. Problem Description Several vulnerabilities have been discovered in the CUPS printing system (these descriptions are from the associated CVE database entries): - Allows local users with lp privileges to create or overwrite arbitrary files via file race conditions. - Allows remote attackers to add printers without authentication via a certain UDP packet, that can then be used to perform unauthorized activities such as stealing the local root certificate for the administration server via a "need authorization" page. - Allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing negative arguments to be fed into memcpy() calls via HTTP requests with (1) a negative Content-Length value or (2) a negative length in a chunked transfer encoding. - The obs.c module does not properly use the strncat function call when processing the options string, which allows remote attackers to execute arbitrary code via a buffer overflow attack. - The filters/image-gif.c module does not properly check for zero-length GIF images, which allows remote attackers to execute arbitrary code via modified chunk headers. - Does not properly check the return values of various file and socket operations, which could allow a remote attacker to cause a denial of service (resource exhaustion) by causing file descriptors to be assigned and not released. - Multiple integer overflows allow remote attackers to execute arbitrary code via (1) the CUPSd HTTP interface, and (2) the image handling code in CUPS filters. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to cups-1.1.10-6.i386.rpm prior to cups-client-1.1.10-6.i386.rpm prior to cups-devel-1.1.10-6.i386.rpm prior to cups-ppd-1.1.10-6.i386.rpm OpenLinux 3.1.1 Workstation prior to cups-1.1.10-6.i386.rpm prior to cups-client-1.1.10-6.i386.rpm prior to cups-devel-1.1.10-6.i386.rpm prior to cups-ppd-1.1.10-6.i386.rpm OpenLinux 3.1 Server prior to cups-1.1.10-6.i386.rpm prior to cups-client-1.1.10-6.i386.rpm prior to cups-devel-1.1.10-6.i386.rpm prior to cups-ppd-1.1.10-6.i386.rpm OpenLinux 3.1 Workstation prior to cups-1.1.10-6.i386.rpm prior to cups-client-1.1.10-6.i386.rpm prior to cups-devel-1.1.10-6.i386.rpm prior to cups-ppd-1.1.10-6.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-004.0/RPMS 4.2 Packages c27cfc1dc18d8c4769c0f8247f9c9bf0 cups-1.1.10-6.i386.rpm 0c9792f6a6127a2a0ac3196d230a9223 cups-client-1.1.10-6.i386.rpm 7ead8e53873325ee5acb2626ecabf5d5 cups-devel-1.1.10-6.i386.rpm cb7b8838284549eb6b4bcb877d5db983 cups-ppd-1.1.10-6.i386.rpm 4.3 Installation rpm -Fvh cups-1.1.10-6.i386.rpm rpm -Fvh cups-client-1.1.10-6.i386.rpm rpm -Fvh cups-devel-1.1.10-6.i386.rpm rpm -Fvh cups-ppd-1.1.10-6.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-004.0/SRPMS 4.5 Source Packages d14af6c00379eace99f62c5df4dcf132 cups-1.1.10-6.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-004.0/RPMS 5.2 Packages b1315ba0ae47bf95d2eccfed08e95cb0 cups-1.1.10-6.i386.rpm ca1ab491adccc5d416d6f2947f93c657 cups-client-1.1.10-6.i386.rpm 5db4d1574eaf6b1cb2130fab341edef7 cups-devel-1.1.10-6.i386.rpm 2580ab863d136281dde1b3ddf82f0d99 cups-ppd-1.1.10-6.i386.rpm 5.3 Installation rpm -Fvh cups-1.1.10-6.i386.rpm rpm -Fvh cups-client-1.1.10-6.i386.rpm rpm -Fvh cups-devel-1.1.10-6.i386.rpm rpm -Fvh cups-ppd-1.1.10-6.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-004.0/SRPMS 5.5 Source Packages c62a95b4664ea4fe5261521b5a79cdc9 cups-1.1.10-6.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-004.0/RPMS 6.2 Packages dee367cd2ffc768b9981831702927a38 cups-1.1.10-6.i386.rpm 620cde79e5c12f20841c3dfe2dea0d36 cups-client-1.1.10-6.i386.rpm 84320c589e9d2129aa5b1fdb34d5d62f cups-devel-1.1.10-6.i386.rpm c2eaa7a35f2dcfb03aa77908bd89ef97 cups-ppd-1.1.10-6.i386.rpm 6.3 Installation rpm -Fvh cups-1.1.10-6.i386.rpm rpm -Fvh cups-client-1.1.10-6.i386.rpm rpm -Fvh cups-devel-1.1.10-6.i386.rpm rpm -Fvh cups-ppd-1.1.10-6.i386.rpm 6.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-004.0/SRPMS 6.5 Source Packages 268370aa68837a6bd148d77e493e92ba cups-1.1.10-6.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-004.0/RPMS 7.2 Packages b547711da7b927555f6f8eabb088793f cups-1.1.10-6.i386.rpm 98564caad2ed3e31eb0051e55be13d9c cups-client-1.1.10-6.i386.rpm 20c1141acfe92617c7c1219a9bd6dbe9 cups-devel-1.1.10-6.i386.rpm 512795d8b7c8b31f6f6a7cfbf405114d cups-ppd-1.1.10-6.i386.rpm 7.3 Installation rpm -Fvh cups-1.1.10-6.i386.rpm rpm -Fvh cups-client-1.1.10-6.i386.rpm rpm -Fvh cups-devel-1.1.10-6.i386.rpm rpm -Fvh cups-ppd-1.1.10-6.i386.rpm 7.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-004.0/SRPMS 7.5 Source Packages 7a7c39f894ac48056702470082f9862a cups-1.1.10-6.src.rpm 8. References Specific references for this advisory: http://www.idefense.com/advisory/12.19.02.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1366 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1367 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1368 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1369 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1383 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr872573, fz526835, erg712180. 9. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 10. Acknowledgements zen-parse (zen-parse@gmx.net) discovered and researched these vulnerabilities. ______________________________________________________________________________ [ Part 2, Application/PGP-SIGNATURE 245bytes. ] [ Unable to print this part. ]