FreeBSD : cups-lpr -- lppasswd multiple vulnerabilities (7850a238-680a-11d9-a9e7-0001020eed82)

Medium Nessus Plugin ID 18990

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

D. J. Bernstein reports that Bartlomiej Sieka has discovered several security vulnerabilities in lppasswd, which is part of CUPS. In the following excerpt from Bernstein's email, CVE names have been added for each issue :

First, lppasswd blithely ignores write errors in fputs(line,outfile) at lines 311 and 315 of lppasswd.c, and in fprintf(...) at line 346.
An attacker who fills up the disk at the right moment can arrange for /usr/local/etc/cups/passwd to be truncated. (CAN-2004-1268)

Second, if lppasswd bumps into a file-size resource limit while writing passwd.new, it leaves passwd.new in place, disabling all subsequent invocations of lppasswd. Any local user can thus disable lppasswd... (CAN-2004-1269)

Third, line 306 of lppasswd.c prints an error message to stderr but does not exit. This is not a problem on systems that ensure that file descriptors 0, 1, and 2 are open for setuid programs, but it is a problem on other systems; lppasswd does not check that passwd.new is different from stderr, so it ends up writing a user-controlled error message to passwd if the user closes file descriptor 2.
(CAN-2004-1270)

Note: The third issue, CVE-2004-1270, does not affect FreeBSD 4.6-RELEASE or later systems, as these systems ensure that the file descriptors 0, 1, and 2 are always open for set-user-ID and set-group-ID programs.

Solution

Update the affected packages.

See Also

https://github.com/apple/cups/issues/1023

http://www.nessus.org/u?afff57c3

http://www.nessus.org/u?3566bddf

Plugin Details

Severity: Medium

ID: 18990

File Name: freebsd_pkg_7850a238680a11d9a9e70001020eed82.nasl

Version: 1.22

Type: local

Published: 2005/07/13

Updated: 2018/12/19

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:cups-lpr, p-cpe:/a:freebsd:freebsd:fr-cups-lpr, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2005/01/17

Vulnerability Publication Date: 2004/12/11

Reference Information

CVE: CVE-2004-1268, CVE-2004-1269, CVE-2004-1270

BID: 12004, 12007