Overview: cups-browsed fails to properly sanitise data from the network when creating IPP printer scripts. As a result, an attacker can remotely create a script containing arbitrary commands, which will be executed as the "lp" user when the associated printer is used. This is the same vulnerability reported as CVE-2014-2707 but the existing fixes rely on a string sanitisation function remove_bad_chars() which is not effective. Details: The remove_bad_chars() function in utils/cups-browsed.c uses the "j" variable as the index of the character to replace in the string to be sanitised. Consecutive bad characters cause "j" to be decremented, so can result in the bad character remaining unaffected. The variables sanitised by remove_bad_chars() include the "pdl" field from an avahi broadcast packet. This is used to create a shell script: snprintf(buffer, sizeof(buffer), "#!/bin/sh\n" "# System V interface script for printer %s generated by cups-browsed\n" "\n" "if [ $# -lt 5 -o $# -gt 6 ]; then\n" " echo \"ERROR: $0 job-id user title copies options [file]\" >&2\n" " exit 1\n" "fi\n" "\n" "# Read from given file\n" "if [ -n \"$6\" ]; then\n" " exec \"$0\" \"$1\" \"$2\" \"$3\" \"$4\" \"$5\" < \"$6\"\n" "fi\n" "\n" "extra_options=\"output-format=%s make-and-model=%s\"\n" "\n" "%s/filter/pdftoippprinter \"$1\" \"$2\" \"$3\" \"$4\" \"$5 $extra_options\"\n", p->name, pdl, make_model, cups_serverbin); The above shell script is then passed to the CUPS server. To be vulnerable, a remote host must have the "CreateIPPPrinterQueues Yes" directive in /etc/cups/cups-browsed.conf. That setting does not appear to be the default. A possible fix would be to apply the following patch to utils/cups-browsed.c (diff against version 1.0.62): @@ -635,6 +635,7 @@ str[i] == '.' || str[i] == ','))) { /* Allowed character, keep it */ havedash = 0; + str[j] = str[i]; } else { /* Replace all other characters by a single '-' */ if (havedash == 1)
Thank you very much for this very detailed bug report. Fixed in BZR rev. 7333.