no problem. thanks! On Wed, Nov 19, 2008 at 6:59 PM, Kees Cook <[EMAIL PROTECTED]> wrote: > ** Visibility changed to: Public > > -- > Apple CUPS Daemon: unauthenticated SIGSEGV crash via RSS subscriptions > https://bugs.launchpad.net/bugs/298241 > You received this bug notification because you are a direct subscriber > of the bug. > > Status in "cups" source package in Ubuntu: New > > Bug description: > Binary package hint: cups > > The CUPS daemon (/usr/sbin/cupsd) which listens by default on port 631/tcp, > crashes when more than 100 RSS Subscriptions are added. No authentication is > required to perform such action. The caveat is that by default - at least on > Ubuntu and openSuse - the daemon only accepts connections from localhost as > specified by the default configuration settings (/etc/cups/cupsd.conf). > However, the attack can be of remote nature by tricking the victim user to > visit a specially-crafted page. Such page would forge the 'add rss > subscription' request 101 times which causes the CUPS daemon to crash. > > The CUPS daemon runs by default on Ubuntu, openSuse and probably other > GNU/Linux distributions. Additionally, this vulnerability can be replicated > against CUPS daemons using default settings. Since no authentication is > required to add new RSS subscriptions, the CUPS administrator does not need > to be logged in during exploitation. > > It is not known whether the crash can lead to command execution, further > debugging/investigation is required. However, the daemon runs as root on both > Ubuntu and openSuse (and probably other distributions), which means that > given that command execution is possible, this bug would lead to a full > compromise of the targeted system. > > _Please see the attached file for more details._ >
-- Adrian 'pagvac' Pastor | GNUCITIZEN | gnucitizen.org PGP Key ID: 0x6B232C7C -- Apple CUPS Daemon: unauthenticated SIGSEGV crash via RSS subscriptions https://bugs.launchpad.net/bugs/298241 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
