ports/147978: print/cups-base CVE-2010-0302

dirk.meyer at dinoex.sub.org dirk.meyer at dinoex.sub.org
Fri Jun 18 17:20:04 UTC 2010 

>Number:         147978
>Category:       ports
>Synopsis:       print/cups-base CVE-2010-0302
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 18 17:20:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Dirk Meyer
>Release:        FreeBSD 8.1-PRERELEASE
>Organization:
privat
>Environment:

>Description:

Use-after-free vulnerability in the abstract file-descriptor handling
interface in the cupsdDoSelect function in scheduler/select.c in the
scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when kqueue
or epoll is used, allows remote attackers to cause a denial of service
(daemon crash or hang) via a client disconnection during listing of a
large number of print jobs, related to improperly maintaining a
reference count. NOTE: some of these details are obtained from third
party information. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2009-3553.

http://www.cups.org/articles.php?L596
http://secunia.com/advisories/cve_reference/CVE-2010-0302/

	The code of the shared libs is not affected.
	Therefor the Fix is not urgent.

>How-To-Repeat:

	Update needs appoval from portmrg@

>Fix:

	Please approve one of the patche below.

	a) small fix to fix the vulnerability

	b) update to 1.4.4
	Impact: dependend packages will need a rebuild,
	to have the new version number recorden in dependency.

a)
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/print/cups-base/Makefile,v
retrieving revision 1.141
diff -u -r1.141 Makefile
--- Makefile	5 Jun 2010 19:53:31 -0000	1.141
+++ Makefile	18 Jun 2010 17:06:07 -0000
@@ -89,6 +89,7 @@
 PKGMESSAGE=	${NONEXISTENT}
 DESCR=		${MASTERDIR}/pkg-descr.image
 .else
+PORTREVISION=	1
 CONFLICTS+=	cupsddk-*
 CUPS_SUFFIX=	-base
 LIB_DEPENDS+=	cups.2:${PORTSDIR}/${PKGCATEGORY}/cups-client \
Index: files/patch-CVE-2009-3553
===================================================================
RCS file: files/patch-CVE-2009-3553
diff -N files/patch-CVE-2009-3553
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-CVE-2009-3553	18 Jun 2010 17:06:07 -0000
@@ -0,0 +1,36 @@
+From b6b656f4b431574069d5b17dc6d3d44910269bb9 Mon Sep 17 00:00:00 2001
+From: Tim Waugh <twaugh at redhat.com>
+Date: Wed, 3 Feb 2010 16:07:11 +0000
+Subject: [PATCH] More complete fix for CVE-2009-3553.
+
+---
+ scheduler/select.c |    6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/scheduler/select.c b/scheduler/select.c
+index 21a6edc..a2451a5 100644
+--- scheduler/select.c
++++ scheduler/select.c
+@@ -454,7 +454,8 @@ cupsdDoSelect(long timeout)		/* I - Timeout in seconds */
+     if (fdptr->read_cb && event->filter == EVFILT_READ)
+       (*(fdptr->read_cb))(fdptr->data);
+ 
+-    if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE)
++    if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE &&
++        !cupsArrayFind(cupsd_inactive_fds, fdptr))
+       (*(fdptr->write_cb))(fdptr->data);
+ 
+     release_fd(fdptr);
+@@ -500,7 +501,8 @@ cupsdDoSelect(long timeout)		/* I - Timeout in seconds */
+ 	  (*(fdptr->read_cb))(fdptr->data);
+ 
+ 	if (fdptr->use > 1 && fdptr->write_cb &&
+-	    (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)))
++            (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) &&
++            !cupsArrayFind(cupsd_inactive_fds, fdptr))
+ 	  (*(fdptr->write_cb))(fdptr->data);
+ 
+ 	release_fd(fdptr);
+-- 
+1.6.6
+

b)
diff -ur --exclude=CVS --exclude=Makefile.local ./Makefile /usr/ports/current/cups-base/Makefile
--- ./Makefile	2010-06-18 19:05:30.000000000 +0200
+++ /usr/ports/current/cups-base/Makefile	2010-06-18 13:18:21.000000000 +0200
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	cups
-PORTVERSION=	1.4.3
+PORTVERSION=	1.4.4
 DISTVERSIONSUFFIX=	-source
 PORTREVISION=	0
 CATEGORIES=	print
diff -ur --exclude=CVS --exclude=Makefile.local ./distinfo /usr/ports/current/cups-base/distinfo
--- ./distinfo	2010-04-02 05:47:19.000000000 +0200
+++ /usr/ports/current/cups-base/distinfo	2010-06-18 13:18:45.000000000 +0200
@@ -1,3 +1,3 @@
-MD5 (cups-1.4.3-source.tar.bz2) = e70b1c3f60143d7310c1d74c111a21ab
-SHA256 (cups-1.4.3-source.tar.bz2) = 47a559b1c50192b94479ae7dab132ea0008727045d4993501cf0a6df0c64db97
-SIZE (cups-1.4.3-source.tar.bz2) = 4461101
+MD5 (cups-1.4.4-source.tar.bz2) = 8776403ad60fea9e85eab9c04d88560d
+SHA256 (cups-1.4.4-source.tar.bz2) = d25ffa35add3abeeec0eba60be2cffc89425b649c64ef3a73dfc724683a59aa3
+SIZE (cups-1.4.4-source.tar.bz2) = 4472741

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list