Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability alert CVE-2010-0302 CVE-2010-0540 CVE-2010-0542

CUPS: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of CUPS can be used by an attacker to create a denial of service, to obtain information, or to execute code.
Severity: 3/4.
Creation date: 18/06/2010.
Revision date: 25/06/2010.

Description of the vulnerability

The CUPS (Common UNIX Printing System) suite provides printers management for Unix. It has several vulnerabilities.

An attacker can print a malicious text document, in order to generate an allocation error in the _WriteProlog() function of texttops, leading to a denial of service or to code execution. [severity:3/4; BID-40943, CVE-2010-0542, STR #3516, >]

A remote attacker can ask for current print jobs in order to generate a denial of service of the CUPS daemon. [severity:2/4; CVE-2010-0302, STR #3490, >]

The cgi_initialize_string() function of the cgi-bin/var.c file does not correctly initializes the memory. An attacker can use a "/admin" url, in order to obtain a fragment of the memory. [severity:2/4; CVE-2010-1748, STR #3577, >]

An attacker can use an external vulnerability to replace /var/cache/cups/remote.cache by a symbolic link, in order to force CUPS to overwrite the pointed file with root privileges. [severity:1/4; BID-41131, CVE-2010-2431, STR #3510, >]

An attacker can generate a Cross Site Request Forgery in the administration interface. [severity:3/4; CVE-2010-0540, STR #3480, >]

When CUPS is compiled with HAVE_GSSAPI, an attacker can generate an infinite loop in the cupsDoAuthentication() function. [severity:1/4; BID-41126, CVE-2010-2432, STR #3518, >]

These vulnerabilities can be used by an attacker to create a denial of service, to obtain information, or to execute code.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: CUPS: several vulnerabilities.
Keywords: 3480 3490 3510 3516 3518 3577 CUPS Common Cross Forgery HAVE_GSSAPI Printing Request STR Site System UNIX Unix _WriteProlog cgi_initialize_string cupsDoAuthentication several vulnerabilities.
Identifiers: BID-40943, BID-41126, BID-41131, CVE-2010-0302, CVE-2010-0540, CVE-2010-0542, CVE-2010-1748, CVE-2010-2431, CVE-2010-2432, FEDORA-2010-10066, FEDORA-2010-10101, FEDORA-2010-10388, RHSA-2010:0490-01, SSA:2010-176-05, STR #3480, STR #3490, STR #3510, STR #3516, STR #3518, STR #3577, VIGILANCE-VUL-9716.

Information sources

Publications and announces
Source example: CUPS 1.4.4

Solutions for this vulnerability

Patch or workaround

Supplements

Vulnerability : STR #3516

An attacker can print a malicious text document, in order to generate an allocation error in the _WriteProlog() function of texttops, leading to a denial of service or to code execution.
Severity: 3/4.
Identifiers: BID-40943, CVE-2010-0542, STR #3516.
Publications and announces
Source example: STR #3516: Missing malloc checks in texttops

Vulnerability : STR #3490

A remote attacker can ask for current print jobs in order to generate a denial of service of the CUPS daemon.
Severity: 2/4.
Identifiers: CVE-2010-0302, STR #3490.
Publications and announces
Source example: STR #3490: CVE-2010-0302: Incomplete fix for CVE-2009-3553 (STR #3200)

Vulnerability : STR #3577

The cgi_initialize_string() function of the cgi-bin/var.c file does not correctly initializes the memory. An attacker can use a "/admin" url, in order to obtain a fragment of the memory.
Severity: 2/4.
Identifiers: CVE-2010-1748, STR #3577.
Publications and announces
Source example: STR #3577: Memory disclosure in CUPS with admin URLs

Vulnerability : STR #3510

An attacker can use an external vulnerability to replace /var/cache/cups/remote.cache by a symbolic link, in order to force CUPS to overwrite the pointed file with root privileges.
Severity: 1/4.
Identifiers: BID-41131, CVE-2010-2431, STR #3510.
Publications and announces
Source example: STR #3510: cups overwrites files as root in a directory with non-root write permission

Vulnerability : STR #3498

An attacker can generate a Cross Site Request Forgery in the administration interface.
Severity: 3/4.
Identifiers: CVE-2010-0540, STR #3480.
Publications and announces
Source example: STR #3498: Add more CSRF protections

Vulnerability : STR #3518

When CUPS is compiled with HAVE_GSSAPI, an attacker can generate an infinite loop in the cupsDoAuthentication() function.
Severity: 1/4.
Identifiers: BID-41126, CVE-2010-2432, STR #3518.
Publications and announces
Source example: STR #3518: Infinite loop when not compiled with HAVE_GSSAPI

Attack

Exploit 0day or proof of concept

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer vulnerabilities tracking service



















France Télécom Copyright 1999-2010 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française