ID CVE-2004-1270
Summary lppasswd in CUPS 1.1.22, when run in environments that do not ensure that file descriptors 0, 1, and 2 are open when lppasswd is called, does not verify that the passwd.new file is different from STDERR, which allows local users to control output to passwd.new via certain user input that triggers an error message.
References
Vulnerable Configurations
  • cpe:2.3:a:easy_software_products:cups:1.0.4
    cpe:2.3:a:easy_software_products:cups:1.0.4
  • cpe:2.3:a:easy_software_products:cups:1.0.4_8
    cpe:2.3:a:easy_software_products:cups:1.0.4_8
  • cpe:2.3:a:easy_software_products:cups:1.1.1
    cpe:2.3:a:easy_software_products:cups:1.1.1
  • cpe:2.3:a:easy_software_products:cups:1.1.4
    cpe:2.3:a:easy_software_products:cups:1.1.4
  • cpe:2.3:a:easy_software_products:cups:1.1.4_2
    cpe:2.3:a:easy_software_products:cups:1.1.4_2
  • cpe:2.3:a:easy_software_products:cups:1.1.4_3
    cpe:2.3:a:easy_software_products:cups:1.1.4_3
  • cpe:2.3:a:easy_software_products:cups:1.1.4_5
    cpe:2.3:a:easy_software_products:cups:1.1.4_5
  • cpe:2.3:a:easy_software_products:cups:1.1.6
    cpe:2.3:a:easy_software_products:cups:1.1.6
  • cpe:2.3:a:easy_software_products:cups:1.1.7
    cpe:2.3:a:easy_software_products:cups:1.1.7
  • cpe:2.3:a:easy_software_products:cups:1.1.10
    cpe:2.3:a:easy_software_products:cups:1.1.10
  • cpe:2.3:a:easy_software_products:cups:1.1.12
    cpe:2.3:a:easy_software_products:cups:1.1.12
  • cpe:2.3:a:easy_software_products:cups:1.1.13
    cpe:2.3:a:easy_software_products:cups:1.1.13
  • cpe:2.3:a:easy_software_products:cups:1.1.14
    cpe:2.3:a:easy_software_products:cups:1.1.14
  • cpe:2.3:a:easy_software_products:cups:1.1.15
    cpe:2.3:a:easy_software_products:cups:1.1.15
  • cpe:2.3:a:easy_software_products:cups:1.1.16
    cpe:2.3:a:easy_software_products:cups:1.1.16
  • cpe:2.3:a:easy_software_products:cups:1.1.17
    cpe:2.3:a:easy_software_products:cups:1.1.17
  • cpe:2.3:a:easy_software_products:cups:1.1.18
    cpe:2.3:a:easy_software_products:cups:1.1.18
  • cpe:2.3:a:easy_software_products:cups:1.1.19
    cpe:2.3:a:easy_software_products:cups:1.1.19
  • cpe:2.3:a:easy_software_products:cups:1.1.19_rc5
    cpe:2.3:a:easy_software_products:cups:1.1.19_rc5
  • cpe:2.3:a:easy_software_products:cups:1.1.20
    cpe:2.3:a:easy_software_products:cups:1.1.20
  • cpe:2.3:a:easy_software_products:cups:1.1.21
    cpe:2.3:a:easy_software_products:cups:1.1.21
  • cpe:2.3:a:easy_software_products:cups:1.1.22_rc1
    cpe:2.3:a:easy_software_products:cups:1.1.22_rc1
  • cpe:2.3:o:redhat:fedora_core:core_2.0
    cpe:2.3:o:redhat:fedora_core:core_2.0
  • cpe:2.3:o:redhat:fedora_core:core_3.0
    cpe:2.3:o:redhat:fedora_core:core_3.0
CVSS
Base: 2.1 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-053.NASL
    description Updated CUPS packages that fix several security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf, which also affects CUPS due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. This issue was assigned the name CVE-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0206 to this issue. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1125 to this issue. A buffer overflow flaw was found in the ParseCommand function in the hpgltops program. An attacker who has the ability to send a malicious HPGL file to a printer could possibly execute arbitrary code as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1267 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0064 to this issue. The lppasswd utility was found to ignore write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS password file or prevent future uses of lppasswd. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1268 and CVE-2004-1269 to these issues. The lppasswd utility was found to not verify that the passwd.new file is different from STDERR, which could allow local users to control output to passwd.new via certain user input that triggers an error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1270 to this issue. All users of cups should upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17174
    published 2005-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17174
    title RHEL 4 : CUPS (RHSA-2005:053)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-013.NASL
    description Updated CUPS packages that fix several security issues are now available. The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. A buffer overflow was found in the CUPS pdftops filter, which uses code from the Xpdf package. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1125 to this issue. A buffer overflow was found in the ParseCommand function in the hpgltops program. An attacker who has the ability to send a malicious HPGL file to a printer could possibly execute arbitrary code as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1267 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit these buffer overflow vulnerabilities on x86 architectures. The lppasswd utility ignores write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS password file or prevent future uses of lppasswd. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1268 and CVE-2004-1269 to these issues. The lppasswd utility does not verify that the passwd.new file is different from STDERR, which could allow local users to control output to passwd.new via certain user input that triggers an error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1270 to this issue. In addition to these security issues, two other problems not relating to security have been fixed : Resuming a job with 'lp -H resume', which had previously been held with 'lp -H hold' could cause the scheduler to stop. This has been fixed in later versions of CUPS, and has been backported in these updated packages. The cancel-cups(1) man page is a symbolic link to another man page. The target of this link has been corrected. All users of cups should upgrade to these updated packages, which resolve these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 16146
    published 2005-01-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16146
    title RHEL 3 : cups (RHSA-2005:013)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_7850A238680A11D9A9E70001020EED82.NASL
    description D. J. Bernstein reports that Bartlomiej Sieka has discovered several security vulnerabilities in lppasswd, which is part of CUPS. In the following excerpt from Bernstein's email, CVE names have been added for each issue : First, lppasswd blithely ignores write errors in fputs(line,outfile) at lines 311 and 315 of lppasswd.c, and in fprintf(...) at line 346. An attacker who fills up the disk at the right moment can arrange for /usr/local/etc/cups/passwd to be truncated. (CAN-2004-1268) Second, if lppasswd bumps into a file-size resource limit while writing passwd.new, it leaves passwd.new in place, disabling all subsequent invocations of lppasswd. Any local user can thus disable lppasswd... (CAN-2004-1269) Third, line 306 of lppasswd.c prints an error message to stderr but does not exit. This is not a problem on systems that ensure that file descriptors 0, 1, and 2 are open for setuid programs, but it is a problem on other systems; lppasswd does not check that passwd.new is different from stderr, so it ends up writing a user-controlled error message to passwd if the user closes file descriptor 2. (CAN-2004-1270) Note: The third issue, CVE-2004-1270, does not affect FreeBSD 4.6-RELEASE or later systems, as these systems ensure that the file descriptors 0, 1, and 2 are always open for set-user-ID and set-group-ID programs.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 18990
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18990
    title FreeBSD : cups-lpr -- lppasswd multiple vulnerabilities (7850a238-680a-11d9-a9e7-0001020eed82)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-50-1.NASL
    description CAN-2004-1125 : The recent USN-48-1 fixed a buffer overflow in xpdf. Since CUPS contains xpdf code to convert incoming PDF files to the PostScript format, this vulnerability applies to cups as well. In this case it could even lead to privilege escalation: if an attacker submitted a malicious PDF file for printing, he could be able to execute arbitrary commands with the privileges of the CUPS server. Please note that the Ubuntu version of CUPS runs as a minimally privileged user 'cupsys' by default, so there is no possibility of root privilege escalation. The privileges of the 'cupsys' user are confined to modifying printer configurations, altering print jobs, and controlling printers. CAN-2004-1267 : Ariel Berkman discovered a buffer overflow in the ParseCommand() function of the HPGL input driver. If an attacker printed a malicious HPGL file, they could exploit this to execute arbitrary commands with the privileges of the CUPS server. CAN-2004-1268, CAN-2004-1269, CAN-2004-1270 : Bartlomiej Sieka discovered three flaws in lppasswd. These allowed users to corrupt the new password file by filling up the disk, sending certain signals, or closing the standard output and/or error streams. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-01
    plugin id 20668
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20668
    title Ubuntu 4.10 : cupsys vulnerabilities (USN-50-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200412-25.NASL
    description The remote host is affected by the vulnerability described in GLSA-200412-25 (CUPS: Multiple vulnerabilities) CUPS makes use of vulnerable Xpdf code to handle PDF files (CAN-2004-1125). Furthermore, Ariel Berkman discovered a buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program (CAN-2004-1267). Finally, Bartlomiej Sieka discovered several problems in the lppasswd program: it ignores some write errors (CAN-2004-1268), it can leave the passwd.new file in place (CAN-2004-1269) and it does not verify that passwd.new file is different from STDERR (CAN-2004-1270). Impact : The Xpdf and hpgltops vulnerabilities may be exploited by a remote attacker to execute arbitrary code by sending specific print jobs to a CUPS spooler. The lppasswd vulnerabilities may be exploited by a local attacker to write data to the CUPS password file or deny further password modifications. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 16067
    published 2004-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16067
    title GLSA-200412-25 : CUPS: Multiple vulnerabilities
  • NASL family Misc.
    NASL id CUPS_MULTIPLE_VULNERABILITIES.NASL
    description According to its banner, the version of CUPS installed on the remote host is between 1.0.4 and 1.1.22 inclusive. Such versions are prone to multiple vulnerabilities : - A remotely exploitable buffer overflow in the 'hpgltops' filter that enable specially crafted HPGL files can execute arbitrary commands as the CUPS 'lp' account. - A local user may be able to prevent anyone from changing their password until a temporary copy of the new password file is cleaned up (lppasswd flaw). - A local user may be able to add arbitrary content to the password file by closing the stderr file descriptor while running lppasswd (lppasswd flaw). - A local attacker may be able to truncate the CUPS password file, thereby denying service to valid clients using digest authentication. (lppasswd flaw). - The application applies ACLs to incoming print jobs in a case-sensitive fashion. Thus, an attacker can bypass restrictions by changing the case in printer names when submitting jobs. [Fixed in 1.1.21.]
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 16141
    published 2005-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16141
    title CUPS < 1.1.23 Multiple Vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-008.NASL
    description A buffer overflow was discovered in the ParseCommand function in the hpgltops utility. An attacker with the ability to send malicious HPGL files to a printer could possibly execute arbitrary code as the 'lp' user (CVE-2004-1267). Vulnerabilities in the lppasswd utility were also discovered. The program ignores write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS passwd file or prevent future use of lppasswd (CVE-2004-1268 and CVE-2004-1269). As well, lppasswd does not verify that the passwd.new file is different from STDERR, which could allow a local user to control output to passwd.new via certain user input that could trigger an error message (CVE-2004-1270). The updated packages have been patched to prevent these problems.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16184
    published 2005-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16184
    title Mandrake Linux Security Advisory : cups (MDKSA-2005:008)
oval via4
accepted 2013-04-29T04:14:29.604-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description lppasswd in CUPS 1.1.22, when run in environments that do not ensure that file descriptors 0, 1, and 2 are open when lppasswd is called, does not verify that the passwd.new file is different from STDERR, which allows local users to control output to passwd.new via certain user input that triggers an error message.
family unix
id oval:org.mitre.oval:def:11507
status accepted
submitted 2010-07-09T03:56:16-04:00
title lppasswd in CUPS 1.1.22, when run in environments that do not ensure that file descriptors 0, 1, and 2 are open when lppasswd is called, does not verify that the passwd.new file is different from STDERR, which allows local users to control output to passwd.new via certain user input that triggers an error message.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2005:013
  • rhsa
    id RHSA-2005:053
refmap via4
gentoo GLSA-200412-25
mandrake MDKSA-2005:008
misc http://tigger.uic.edu/~jlongs2/holes/cups2.txt
ubuntu USN-50-1
xf cups-lppasswd-passwd-modify(18609)
Last major update 21-08-2010 - 00:22
Published 10-01-2005 - 00:00
Last modified 03-10-2018 - 17:29
Back to Top