Debians sikkerhedsbulletin
DSA-232-1 cupsys -- flere sårbarheder
- Rapporteret den:
- 20. jan 2003
- Berørte pakker:
- cupsys
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 6475, BugTraq-id 6440, BugTraq-id 6439, BugTraq-id 6438, BugTraq-id 6437, BugTraq-id 6436, BugTraq-id 6435.
I Mitres CVE-ordbog: CVE-2002-1366, CVE-2002-1367, CVE-2002-1368, CVE-2002-1369, CVE-2002-1371, CVE-2002-1372, CVE-2002-1383, CVE-2002-1384. - Yderligere oplysninger:
-
Flere sårbarheder er fundet i Common Unix Printing System (CUPS). Flere af disse problemer kan potentielt udnyttes af en fjernbruger eller ved et overbelastningsangreb (denial of service). Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:
- CAN-2002-1383: Flere heltalsoverløb gør det muligt for en fjernangriber at udføre vilkårlig kode via CUPSd HTTP-grænsefladen og billedhåndteringskoden i CUPS-filtrene.
- CAN-2002-1366: "Race conditions" i forbindelse med
/etc/cups/certs/
gør det muligt for lokale brugere med lp-rettigheder, at oprette eller overskrive vilkårlige filer. Dette problem findes ikke i potato-udgaven. - CAN-2002-1367: Denne sårbarhed gør det muligt for en fjernangriber, at tilføje printere uden autentifikation via en bestemt UDP-pakke, hvilket dermed kan udnyttes til at udføre uautoriserede aktiviteter såsom at stæjle det lokale root-certifikat til administrationsserveren via en "kræver autorisation"-side.
- CAN-2002-1368: Negative længde overført til memcpy() kan forårsage et overbelastningsangreb og måske også udførelse af vilkårlig kode.
- CAN-2002-1369: Et usikkert strncat()-funktionskald til behandling af indstillingsstrengen, giver en fjernangriber mulighed for at udføre vilkårlig kode via et bufferoverløb.
- CAN-2002-1371: Billeder med en bredde på nul, gør det muligt for en fjernangriber at udføre vilkårlig kode via tilpassede chunk-headere.
- CAN-2002-1372: CUPS kontrollerer ikke på korrekt vis, returværdierne fra forskellige fil- og socket-handlinger, hvilket kan give en fjernangriber mulighed for at forårsage et overbelastningsangreb.
- CAN-2002-1384: Pakken cupsys indeholder noget kode fra pakken xpdf, der anvendes til at konvertere PDF-filer til udskrift, hvilket indeholder en heltalsoverløbsfejl, der kan udnyttes. Dette problem findes ikke i potato-udgaven.
Selvom vi har gjort os stor umage med, også at rette alle disse problemer i pakkerne til potato, kan pakkerne stadig indeholder andre sikkerhedsrelaterede problemer. Derfor opfordrer vi brugere af potato-systemer hvor CUPS anvendes, til snart at opgradere til woody.
I den aktuelle stabile distribution (woody) er disse problemer rettet i version 1.1.14-4.3.
I den gamle stabile distribution (potato) er disse problemer rettet i version 1.0.4-12.1.
I den ustabile distribution (sid) er disse problemer rettet i version 1.1.18-1.
Vi anbefaler at du omgående opgraderer dine CUPS-pakker.
- Rettet i:
-
Debian GNU/Linux 2.2 (potato)
- Kildekode:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1.dsc
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1.diff.gz
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_arm.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_arm.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_arm.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_arm.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_i386.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_i386.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_i386.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_i386.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_i386.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_m68k.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_m68k.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_m68k.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_m68k.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_m68k.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_sparc.deb
Debian GNU/Linux 3.0 (woody)
- Kildekode:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4.dsc
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4.diff.gz
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14.orig.tar.gz
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_alpha.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_alpha.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_alpha.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_alpha.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_alpha.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_alpha.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_arm.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_arm.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_arm.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_arm.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_arm.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_arm.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_i386.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_i386.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_i386.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_i386.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_i386.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_i386.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_ia64.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_ia64.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_ia64.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_ia64.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_ia64.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_ia64.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_hppa.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_hppa.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_hppa.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_hppa.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_hppa.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_hppa.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_m68k.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_m68k.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_m68k.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_m68k.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_m68k.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_m68k.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_mips.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_mips.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_mips.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_mips.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_mips.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_mips.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_s390.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_s390.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_s390.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_s390.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_s390.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_s390.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.4_sparc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_sparc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.4_sparc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.4_sparc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.4_sparc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.4_sparc.deb
- http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.4_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.
MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.