FreeBSD : cups-lpr -- lppasswd multiple vulnerabilities (7850a238-680a-11d9-a9e7-0001020eed82)

This script is Copyright (C) 2005-2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

D. J. Bernstein reports that Bartlomiej Sieka has discovered several
security vulnerabilities in lppasswd, which is part of CUPS. In the
following excerpt from Bernstein's email, CVE names have been added
for each issue :

First, lppasswd blithely ignores write errors in fputs(line,outfile)
at lines 311 and 315 of lppasswd.c, and in fprintf(...) at line 346.
An attacker who fills up the disk at the right moment can arrange for
/usr/local/etc/cups/passwd to be truncated. (CAN-2004-1268)

Second, if lppasswd bumps into a file-size resource limit while
writing passwd.new, it leaves passwd.new in place, disabling all
subsequent invocations of lppasswd. Any local user can thus disable
lppasswd... (CAN-2004-1269)

Third, line 306 of lppasswd.c prints an error message to stderr but
does not exit. This is not a problem on systems that ensure that file
descriptors 0, 1, and 2 are open for setuid programs, but it is a
problem on other systems; lppasswd does not check that passwd.new is
different from stderr, so it ends up writing a user-controlled error
message to passwd if the user closes file descriptor 2.
(CAN-2004-1270)

Note: The third issue, CVE-2004-1270, does not affect FreeBSD
4.6-RELEASE or later systems, as these systems ensure that the file
descriptors 0, 1, and 2 are always open for set-user-ID and
set-group-ID programs.

See also :

http://www.cups.org/str.php?L1023
http://www.nessus.org/u?afff57c3
http://www.nessus.org/u?bbff3d7b

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 18990 (freebsd_pkg_7850a238680a11d9a9e70001020eed82.nasl)

Bugtraq ID: 12004
12007

CVE ID: CVE-2004-1268
CVE-2004-1269
CVE-2004-1270

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now