Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted (1) textWithLanguage or (2) nameWithLanguage Internet Printing Protocol (IPP) tag, leading to a stack-based buffer overflow.

From Red Hat Security Advisory 2007:1023 :

Updated cups packages that fix several security issues are now available for Red Hat Enterprise Linux 3.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems.

Alin Rad Pop discovered a flaw in the handling of PDF files. An attacker could create a malicious PDF file that would cause CUPS to crash or potentially execute arbitrary code when printed.
(CVE-2007-5393)

Alin Rad Pop discovered a flaw in in the way CUPS handles certain IPP tags. A remote attacker who is able to connect to the IPP TCP port could send a malicious request causing the CUPS daemon to crash.
(CVE-2007-4351)

A flaw was found in the way CUPS handled SSL negotiation. A remote attacker capable of connecting to the CUPS daemon could cause CUPS to crash. (CVE-2007-4045)

All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

From Red Hat Security Advisory 2007:1022 :

Updated cups packages that fix several security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems.

Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause CUPS to crash or potentially execute arbitrary code when printed.
(CVE-2007-4352, CVE-2007-5392, CVE-2007-5393)

Alin Rad Pop discovered a flaw in in the way CUPS handles certain IPP tags. A remote attacker who is able to connect to the IPP TCP port could send a malicious request causing the CUPS daemon to crash.
(CVE-2007-4351)

A flaw was found in the way CUPS handled SSL negotiation. A remote attacker capable of connecting to the CUPS daemon could cause CUPS to crash. (CVE-2007-4045)

All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

The remote Oracle Linux 5 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2007-1020 advisory.

    [1.2.4-11.14.el5_1.1]
     - Applied patch to fix CVE-2007-4351 (STR #2561, bug #353981).

     [1.2.4-11.14]
     - Applied patch to fix cupsd crash when failing to open a file: URI        (STR #2351, bug #250415).

     [1.2.4-11.13]
     - Moved LSPP security attributes check before job creation (bug #231522).

     [1.2.4-11.12]
     - Moved LSPP access check before job creation (bug #231522).

     [1.2.4-11.11]
     - Better error checking in the LSPP patch (bug #231522).

     [1.2.4-11.10]
     - Applied patch to fix CVE-2007-3387 (bug #248223).

     [1.2.4-11.9]
     - Fixed IPv6 address parsing (bug #241400, STR #2117).
     - Fixed a bug that caused cups-lpd not to set the correct value for        job-originating-host-name (bug #240223, STR #2023).
     - Cleaned up initscript error handling (bug #237953).
     - Fixed cups-lpd -odocument-format=... option (bug #230073, STR #2266).
     - Fixed If-Modified-Since: handling in libcups (bug #218764, STR #2133).
     - Make the initscript use start priority 56 (bug #213828).

     [1.2.4-11.8]
     - Applied fix for STR #2264 (bug #230118).
     - Added patch for UNIX domain sockets authentication (bug #230613).
     - LSPP: Updated patch for line-wrapped labels (bug #228107).

     [1.2.4-11.7]
     - Don't reload CUPS after rotating the logs with logrotate, but make sure        to use the new file in that case (bug #215024).

     [1.2.4-11.6]
     - LSPP: added check_context() function for get_jobs(), get_job_attrs() and        validate_user() (bug #229673).
     - Fixed a potential scheduler crash (bug #231522).

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Problem description :

Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause CUPS to crash or potentially execute arbitrary code when printed.
(CVE-2007-4352, CVE-2007-5392, CVE-2007-5393)

Alin Rad Pop discovered a flaw in in the way CUPS handles certain IPP tags. A remote attacker who is able to connect to the IPP TCP port could send a malicious request causing the CUPS daemon to crash.
(CVE-2007-4351)

A flaw was found in the way CUPS handled SSL negotiation. A remote attacker capable of connecting to the CUPS daemon could cause CUPS to crash. (CVE-2007-4045)

A flaw was found in the way CUPS handles certain Internet Printing Protocol (IPP) tags. A remote attacker who is able to connect to the IPP TCP port could send a malicious request causing the CUPS daemon to crash, or potentially execute arbitrary code. Please note that the default CUPS configuration does not allow remote hosts to connect to the IPP TCP port. (CVE-2007-4351)

In addition, the following bugs were fixed :

  - the CUPS service has been changed to start after sshd,     to avoid causing delays when logging in when the system     is booted.

  - the logrotate settings have been adjusted so they do not     cause CUPS to reload its configuration. This is to avoid     re-printing the current job, which could occur when it     was a long-running job.

  - a bug has been fixed in the handling of the     If-Modified-Since: HTTP header.

  - in the LSPP configuration, labels for labeled jobs did     not line-wrap. This has been fixed.

  - an access check in the LSPP configuration has been made     more secure.

  - the cups-lpd service no longer ignores the     '-odocument-format=...' option.

  - a memory allocation bug has been fixed in cupsd.

  - support for UNIX domain sockets authentication without     passwords has been added.

  - in the LSPP configuration, a problem that could lead to     cupsd crashing has been fixed.

  - the error handling in the initscript has been improved.

  - The job-originating-host-name attribute was not     correctly set for jobs submitted via the cups-lpd     service. This has been fixed.

  - a problem with parsing IPv6 addresses in the     configuration file has been fixed.

  - a problem that could lead to cupsd crashing when it     failed to open a 'file:' URI has been fixed.

Updated CUPS packages that fix a security issue in the Internet Printing Protocol (IPP) handling and correct some bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems.

A flaw was found in the way CUPS handles certain Internet Printing Protocol (IPP) tags. A remote attacker who is able to connect to the IPP TCP port could send a malicious request causing the CUPS daemon to crash, or potentially execute arbitrary code. Please note that the default CUPS configuration does not allow remote hosts to connect to the IPP TCP port. (CVE-2007-4351)

Red Hat would like to thank Alin Rad Pop for reporting this issue.

All CUPS users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.

In addition, the following bugs were fixed :

* the CUPS service has been changed to start after sshd, to avoid causing delays when logging in when the system is booted.

* the logrotate settings have been adjusted so they do not cause CUPS to reload its configuration. This is to avoid re-printing the current job, which could occur when it was a long-running job.

* a bug has been fixed in the handling of the If-Modified-Since: HTTP header.

* in the LSPP configuration, labels for labeled jobs did not line-wrap. This has been fixed.

* an access check in the LSPP configuration has been made more secure.

* the cups-lpd service no longer ignores the '-odocument-format=...' option.

* a memory allocation bug has been fixed in cupsd.

* support for UNIX domain sockets authentication without passwords has been added.

* in the LSPP configuration, a problem that could lead to cupsd crashing has been fixed.

* the error handling in the initscript has been improved.

* The job-originating-host-name attribute was not correctly set for jobs submitted via the cups-lpd service. This has been fixed.

* a problem with parsing IPv6 addresses in the configuration file has been fixed.

* a problem that could lead to cupsd crashing when it failed to open a 'file:' URI has been fixed.

Updated cups packages that fix several security issues are now available for Red Hat Enterprise Linux 3.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems.

Alin Rad Pop discovered a flaw in the handling of PDF files. An attacker could create a malicious PDF file that would cause CUPS to crash or potentially execute arbitrary code when printed.
(CVE-2007-5393)

Alin Rad Pop discovered a flaw in in the way CUPS handles certain IPP tags. A remote attacker who is able to connect to the IPP TCP port could send a malicious request causing the CUPS daemon to crash.
(CVE-2007-4351)

A flaw was found in the way CUPS handled SSL negotiation. A remote attacker capable of connecting to the CUPS daemon could cause CUPS to crash. (CVE-2007-4045)

All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Updated cups packages that fix several security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems.

Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause CUPS to crash or potentially execute arbitrary code when printed.
(CVE-2007-4352, CVE-2007-5392, CVE-2007-5393)

Alin Rad Pop discovered a flaw in in the way CUPS handles certain IPP tags. A remote attacker who is able to connect to the IPP TCP port could send a malicious request causing the CUPS daemon to crash.
(CVE-2007-4351)

A flaw was found in the way CUPS handled SSL negotiation. A remote attacker capable of connecting to the CUPS daemon could cause CUPS to crash. (CVE-2007-4045)

All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. 

This update contains several security fixes for a large number of programs.

Alin Rad Pop discovered that the Common UNIX Printing System is vulnerable to an off-by-one buffer overflow in the code to process IPP packets, which may lead to the execution of arbitrary code.

The cupsys version in the old stable distribution (sarge) is not vulnerable to arbitrary code execution.

The remote host is affected by the vulnerability described in GLSA-200711-16 (CUPS: Memory corruption)

    Alin Rad Pop (Secunia Research) discovered an off-by-one error in the     ippReadIO() function when handling Internet Printing Protocol (IPP)     tags that might allow to overwrite one byte on the stack.
  Impact :

    A local attacker could send a specially crafted IPP request containing     'textWithLanguage' or 'nameWithLanguage' tags, leading to a Denial of     Service or the execution of arbitrary code with the privileges of the     'lp' user. If CUPS is configured to allow network printing, this     vulnerability might be remotely exploitable.
  Workaround :

    To avoid remote exploitation, network access to CUPS servers on port     631/udp should be restricted. In order to do this, update the 'Listen'     setting in cupsd.conf to 'Listen localhost:631' or add a rule to     the system's firewall. However, this will not avoid local users from     exploiting this vulnerability.

Alin Rad Pop discovered that CUPS did not correctly validate buffer lengths when processing IPP tags. Remote attackers successfully exploiting this vulnerability would gain access to the non-root CUPS user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Secunia reports :

Secunia Research has discovered a vulnerability in CUPS, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the 'ippReadIO()' function in cups/ipp.c when processing IPP (Internet Printing Protocol) tags. This can be exploited to overwrite one byte on the stack with a zero by sending an IPP request containing specially crafted 'textWithLanguage' or 'nameWithLanguage' tags.

Successful exploitation allows execution of arbitrary code.

This update fixes a remote code execution vulnerability in the IPP handling part of the CUPS scheduler, as well as several PDF handling security issues.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes a remote code execution vulnerability in the IPP handling part of the CUPS scheduler.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Alin Rad Pop of Secunia Research discovered a vulnerability in CUPS that can be exploited by malicious individuals to execute arbitrary code. This flaw is due to a boundary error when processing IPP (Internet Printing Protocol) tags.

Update :

Due to incorrect build requirements/conflicts, the cups-config in Mandriva Linux 2008.0 was displaying the full CFLAGS and libs instead of just the libraries when 'cups-config --libs' was invoked. This update corrects the cups-config behaviour.

CUPS was found to contain errors in ipp.c which could allow a remote attacker to crash CUPS, resulting in a denial of service. If you use CUPS, it is recommended to update to the latest package for your version of Slackware. The latest cups package is available for Slackware -current, and patched packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0 that fix the problems.

According to its banner, the version of CUPS installed on the remote host fails to check the text-length field in the 'ippReadIO()' function in 'cups/ipp.c'. Using a specially crafted request with an IPP (Internet Printing Protocol) tag such as 'textWithLanguage' or 'nameWithLanguage' and an overly large text-length value, a remote attacker may be able to leverage this issue to execute arbitrary code on the affected system.

A missing length check in the IPP implementation of cups could lead to a buffer overflow. Attackers could exploit that to potentially execute arbitrary code with root privileges (CVE-2007-4351).

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2007:1020 advisory.

  - cups boundary error (CVE-2007-4351)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
67600	Oracle Linux 3 : cups (ELSA-2007-1023)	Nessus	Oracle Linux Local Security Checks	critical
67599	Oracle Linux 4 : cups (ELSA-2007-1022)	Nessus	Oracle Linux Local Security Checks	critical
67598	Oracle Linux 5 : Important: / cups (ELSA-2007-1020)	Nessus	Oracle Linux Local Security Checks	high
60286	Scientific Linux Security Update : cups on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
60279	Scientific Linux Security Update : cups on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
43660	CentOS 5 : cups (CESA-2007:1020)	Nessus	CentOS Local Security Checks	critical
37449	CentOS 3 : cups (CESA-2007:1023)	Nessus	CentOS Local Security Checks	critical
37428	CentOS 4 : cups (CESA-2007:1022)	Nessus	CentOS Local Security Checks	critical
36860	RHEL 4 : cups (RHSA-2007:1022)	Nessus	Red Hat Local Security Checks	critical
29723	Mac OS X Multiple Vulnerabilities (Security Update 2007-009)	Nessus	MacOS X Local Security Checks	critical
28253	Debian DSA-1407-1 : cupsys - buffer overflow	Nessus	Debian Local Security Checks	critical
28199	GLSA-200711-16 : CUPS: Memory corruption	Nessus	Gentoo Local Security Checks	critical
28146	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : cupsys vulnerability (USN-539-1)	Nessus	Ubuntu Local Security Checks	critical
27845	FreeBSD : cups -- off-by-one buffer overflow (8dd9722c-8e97-11dc-b8f6-001c2514716c)	Nessus	FreeBSD Local Security Checks	critical
27836	RHEL 3 : cups (RHSA-2007:1023)	Nessus	Red Hat Local Security Checks	critical
27822	Fedora 8 : cups-1.3.4-2.fc8 (2007-2982)	Nessus	Fedora Local Security Checks	critical
27797	Fedora 7 : cups-1.2.12-6.fc7 (2007-2715)	Nessus	Fedora Local Security Checks	critical
27615	Mandrake Linux Security Advisory : cups (MDKSA-2007:204-1)	Nessus	Mandriva Local Security Checks	critical
27609	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 8.1 / 9.0 / 9.1 / current : cups (SSA:2007-305-01)	Nessus	Slackware Local Security Checks	critical
27608	CUPS cups/ipp.c ippReadIO Function IPP Tag Handling Overflow	Nessus	Misc.	critical
27605	openSUSE 10 Security Update : cups (cups-4598)	Nessus	SuSE Local Security Checks	critical
27602	RHEL 5 : cups (RHSA-2007:1020)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2007-4351

high

Tenable Plugins

critical

critical

high

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

high