ID CVE-2014-4336 Type cve Reporter cve@mitre.org Modified 2018-01-03T13:45:00
Description
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
{"securityvulns": [{"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "cvelist": ["CVE-2013-6474", "CVE-2014-4337", "CVE-2013-6473", "CVE-2014-2707", "CVE-2014-4336", "CVE-2013-6476", "CVE-2014-4338", "CVE-2013-6475"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2015:100\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : cups-filters\r\n Date : March 29, 2015\r\n Affected: Business Server 2.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated cups-filters packages fix security vulnerabilities:\r\n \r\n Florian Weimer discovered that cups-filters incorrectly handled\r\n memory in the urftopdf filter. An attacker could possibly use this\r\n issue to execute arbitrary code with the privileges of the lp user\r\n (CVE-2013-6473).\r\n \r\n Florian Weimer discovered that cups-filters incorrectly handled\r\n memory in the pdftoopvp filter. An attacker could possibly use this\r\n issue to execute arbitrary code with the privileges of the lp user\r\n (CVE-2013-6474, CVE-2013-6475).\r\n \r\n Florian Weimer discovered that cups-filters did not restrict driver\r\n directories in in the pdftoopvp filter. An attacker could possibly\r\n use this issue to execute arbitrary code with the privileges of the\r\n lp user (CVE-2013-6476).\r\n \r\n Sebastian Krahmer discovered it was possible to use malicious\r\n broadcast packets to execute arbitrary commands on a server running\r\n the cups-browsed daemon (CVE-2014-2707).\r\n \r\n In cups-filters before 1.0.53, out-of-bounds accesses in the\r\n process_browse_data function when reading the packet variable\r\n could leading to a crash, thus resulting in a denial of service\r\n (CVE-2014-4337).\r\n \r\n In cups-filters before 1.0.53, if there was only a single BrowseAllow\r\n line in cups-browsed.conf and its host specification was invalid, this\r\n was interpreted as if no BrowseAllow line had been specified, which\r\n resulted in it accepting browse packets from all hosts (CVE-2014-4338).\r\n \r\n The CVE-2014-2707 issue with malicious broadcast packets, which\r\n had been fixed in Mageia Bug 13216 (MGASA-2014-0181), had not been\r\n completely fixed by that update. A more complete fix was implemented\r\n in cups-filters 1.0.53 (CVE-2014-4336).\r\n \r\n Note that only systems that have enabled the affected feature\r\n by using the CreateIPPPrinterQueues configuration directive in\r\n /etc/cups/cups-browsed.conf were affected by the CVE-2014-2707 /\r\n CVE-2014-4336 issue.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6473\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6474\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6475\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6476\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2707\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4336\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4337\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4338\r\n http://advisories.mageia.org/MGASA-2014-0170.html\r\n http://advisories.mageia.org/MGASA-2014-0181.html\r\n http://advisories.mageia.org/MGASA-2014-0267.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 2/X86_64:\r\n 8debeee26ba55f4bb1b93d553da75157 mbs2/x86_64/cups-filters-1.0.53-1.mbs2.x86_64.rpm\r\n 37666681642eddb5343e968a58b3d771 mbs2/x86_64/lib64cups-filters1-1.0.53-1.mbs2.x86_64.rpm\r\n d526c4341f34532c8032655f7e334999 mbs2/x86_64/lib64cups-filters-devel-1.0.53-1.mbs2.x86_64.rpm \r\n 5ecb3127039ab1eacb519a7b98e1d545 mbs2/SRPMS/cups-filters-1.0.53-1.mbs2.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFVF3e0mqjQ0CJFipgRAmSxAJ0fLCoHyyU8zzI8WSW36Yi7P1fAMgCfZ3sm\r\nw9BvNovNQW1jwArTVorAJo0=\r\n=0EYE\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2015-04-19T00:00:00", "published": "2015-04-19T00:00:00", "id": "SECURITYVULNS:DOC:31945", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31945", "title": "[ MDVSA-2015:100 ] cups-filters", "type": "securityvulns", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:59", "bulletinFamily": "software", "cvelist": ["CVE-2013-6474", "CVE-2014-4337", "CVE-2013-6473", "CVE-2015-2265", "CVE-2014-2707", "CVE-2014-4336", "CVE-2013-6476", "CVE-2014-4338", "CVE-2013-6475"], "description": "cups-browsed shell characters vulnerability", "edition": 1, "modified": "2015-04-19T00:00:00", "published": "2015-04-19T00:00:00", "id": "SECURITYVULNS:VULN:14329", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14329", "title": "cups-filters code execution", "type": "securityvulns", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-17T11:51:41", "description": "Updated cups-filters packages fix security vulnerabilities :\n\nFlorian Weimer discovered that cups-filters incorrectly handled memory\nin the urftopdf filter. An attacker could possibly use this issue to\nexecute arbitrary code with the privileges of the lp user\n(CVE-2013-6473).\n\nFlorian Weimer discovered that cups-filters incorrectly handled memory\nin the pdftoopvp filter. An attacker could possibly use this issue to\nexecute arbitrary code with the privileges of the lp user\n(CVE-2013-6474, CVE-2013-6475).\n\nFlorian Weimer discovered that cups-filters did not restrict driver\ndirectories in in the pdftoopvp filter. An attacker could possibly use\nthis issue to execute arbitrary code with the privileges of the lp\nuser (CVE-2013-6476).\n\nSebastian Krahmer discovered it was possible to use malicious\nbroadcast packets to execute arbitrary commands on a server running\nthe cups-browsed daemon (CVE-2014-2707).\n\nIn cups-filters before 1.0.53, out-of-bounds accesses in the\nprocess_browse_data function when reading the packet variable could\nleading to a crash, thus resulting in a denial of service\n(CVE-2014-4337).\n\nIn cups-filters before 1.0.53, if there was only a single BrowseAllow\nline in cups-browsed.conf and its host specification was invalid, this\nwas interpreted as if no BrowseAllow line had been specified, which\nresulted in it accepting browse packets from all hosts\n(CVE-2014-4338).\n\nThe CVE-2014-2707 issue with malicious broadcast packets, which had\nbeen fixed in Mageia Bug 13216 (MGASA-2014-0181), had not been\ncompletely fixed by that update. A more complete fix was implemented\nin cups-filters 1.0.53 (CVE-2014-4336).\n\nNote that only systems that have enabled the affected feature by using\nthe CreateIPPPrinterQueues configuration directive in\n/etc/cups/cups-browsed.conf were affected by the CVE-2014-2707 /\nCVE-2014-4336 issue.", "edition": 24, "published": "2015-03-30T00:00:00", "title": "Mandriva Linux Security Advisory : cups-filters (MDVSA-2015:100)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-6474", "CVE-2014-4337", "CVE-2013-6473", "CVE-2014-2707", "CVE-2014-4336", "CVE-2013-6476", "CVE-2014-4338", "CVE-2013-6475"], "modified": "2015-03-30T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:2", "p-cpe:/a:mandriva:linux:lib64cups-filters-devel", "p-cpe:/a:mandriva:linux:cups-filters", "p-cpe:/a:mandriva:linux:lib64cups-filters1"], "id": "MANDRIVA_MDVSA-2015-100.NASL", "href": "https://www.tenable.com/plugins/nessus/82353", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:100. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82353);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-6473\", \"CVE-2013-6474\", \"CVE-2013-6475\", \"CVE-2013-6476\", \"CVE-2014-2707\", \"CVE-2014-4336\", \"CVE-2014-4337\", \"CVE-2014-4338\");\n script_xref(name:\"MDVSA\", value:\"2015:100\");\n\n script_name(english:\"Mandriva Linux Security Advisory : cups-filters (MDVSA-2015:100)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cups-filters packages fix security vulnerabilities :\n\nFlorian Weimer discovered that cups-filters incorrectly handled memory\nin the urftopdf filter. An attacker could possibly use this issue to\nexecute arbitrary code with the privileges of the lp user\n(CVE-2013-6473).\n\nFlorian Weimer discovered that cups-filters incorrectly handled memory\nin the pdftoopvp filter. An attacker could possibly use this issue to\nexecute arbitrary code with the privileges of the lp user\n(CVE-2013-6474, CVE-2013-6475).\n\nFlorian Weimer discovered that cups-filters did not restrict driver\ndirectories in in the pdftoopvp filter. An attacker could possibly use\nthis issue to execute arbitrary code with the privileges of the lp\nuser (CVE-2013-6476).\n\nSebastian Krahmer discovered it was possible to use malicious\nbroadcast packets to execute arbitrary commands on a server running\nthe cups-browsed daemon (CVE-2014-2707).\n\nIn cups-filters before 1.0.53, out-of-bounds accesses in the\nprocess_browse_data function when reading the packet variable could\nleading to a crash, thus resulting in a denial of service\n(CVE-2014-4337).\n\nIn cups-filters before 1.0.53, if there was only a single BrowseAllow\nline in cups-browsed.conf and its host specification was invalid, this\nwas interpreted as if no BrowseAllow line had been specified, which\nresulted in it accepting browse packets from all hosts\n(CVE-2014-4338).\n\nThe CVE-2014-2707 issue with malicious broadcast packets, which had\nbeen fixed in Mageia Bug 13216 (MGASA-2014-0181), had not been\ncompletely fixed by that update. A more complete fix was implemented\nin cups-filters 1.0.53 (CVE-2014-4336).\n\nNote that only systems that have enabled the affected feature by using\nthe CreateIPPPrinterQueues configuration directive in\n/etc/cups/cups-browsed.conf were affected by the CVE-2014-2707 /\nCVE-2014-4336 issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0170.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0181.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0267.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected cups-filters, lib64cups-filters-devel and / or\nlib64cups-filters1 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:cups-filters\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64cups-filters-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64cups-filters1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"cups-filters-1.0.53-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64cups-filters-devel-1.0.53-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64cups-filters1-1.0.53-1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}]}
