RootSSV:11523CUPS cups/ipp.c空指针引用拒绝服务漏洞
0.07 Low
EPSS
Percentile
93.3%
BUGTRAQ ID: 35169
CVE(CAN) ID: CVE-2009-0949
Common Unix Printing System(CUPS)是一款通用Unix打印系统,是Unix环境下的跨平台打印解决方案,基于Internet打印协议,提供大多数PostScript和raster打印机服务。
在处理包含有两个IPP_TAG_UNSUPPORTED标签的特质IPP时,CUPS的cups/ipp.c文件中的ippReadIO()函数没有正确地初始化ipp结构,这可能导致受影响的应用崩溃。
cups/ipp.c文件中的ippReadIO()函数负责初始化表示当前IPP请求中不同标签的ipp结构:
/-----------
1016 ipp_state_t /* O - Current state */
1017 ippReadIO(void src, / I - Data source /
1018 ipp_iocb_t cb, / I - Read callback function /
1019 int blocking, / I - Use blocking IO? */
1020 ipp_t parent, / I - Parent request, if any */
1021 ipp_t ipp) / I - IPP data /
1022 {
1023 int n; / Length of data /
1024 unsigned char buffer[IPP_MAX_LENGTH + 1],
1025 / Data buffer /
1026 string[IPP_MAX_NAME],
1027 / Small string buffer */
1028 bufptr; / Pointer into buffer */
1029 ipp_attribute_t attr; / Current attribute /
1030 ipp_tag_t tag; / Current tag /
1031 ipp_tag_t value_tag; / Current value tag */
1032 ipp_value_t value; / Current value */
1035 DEBUG_printf(("ippReadIO(%p, %p, %d, %p, %p)\n", src, cb, blocking,
1036 parent, ipp));
1037 DEBUG_printf(("ippReadIO: ipp->state=%d\n", ipp->state));
1039 if (src == NULL || ipp == NULL)
1040 return (IPP_ERROR);
1041
1042 switch (ipp->state)
1043 {
1044 case IPP_IDLE :
1045 ipp->state ++; /* Avoid common problem… */
1046
1047 case IPP_HEADER :
1048 if (parent == NULL)
- -----------/
在上面的代码中,通过几个不同的标签属性对报文进行计数。如果所发送的IPP报文标签属性低于0x10,CUPS就会认为是IPP_TAG_UNSUPPORTED标签:
/-----------
else if (tag < IPP_TAG_UNSUPPORTED_VALUE)
{
/*
* Group tag… Set the current group and continue…
*/
if (ipp->curtag == tag)
ipp->prev = ippAddSeparator(ipp);
else if (ipp->current)
ipp->prev = ipp->current;
ipp->curtag = tag;
ipp->current = NULL;
DEBUG_printf(("ippReadIO: group tag = %x, ipp->prev=%p\n", tag,
ipp->prev));
continue;
}
- -----------/
由于CUPS处理这类标签的方式,如果报文中包含有两个连续的IPP_TAG_UNSUPPORTED,就会将IPP结构的最后一个节点初始化为NULL,这会在cupsdProcessIPPRequest函数试图读取attr结构的name字段时导致崩溃。
/-----------
/*
- ‘cupsdProcessIPPRequest()’ - Process an incoming IPP request.
/
int / O - 1 on success, 0 on
failure */
cupsdProcessIPPRequest( cupsd_client_t con) / I - Client connection */
…
if (!attr)
{
/*
* Then make sure that the first three attributes are:
*
* attributes-charset
* attributes-natural-language
* printer-uri/job-uri
*/
attr = con->request->attrs;
if (attr && !strcmp(attr->name, "attributes-charset") &&
(attr->value_tag & IPP_TAG_MASK) == IPP_TAG_CHARSET)
charset = attr;
else
charset = NULL;
…
- -----------/
Easy Software Products CUPS < 1.3.10
厂商补丁:
Easy Software Products
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=“http://www.cups.org” target=“_blank”>http://www.cups.org</a>
http://www.coresecurity.com/content/AppleCUPS-null-pointer-vulnerability
Related
