HPLIP

buffer overflow in hpcups

Bug #474412 reported by Tim Waugh
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HPLIP
Fix Released
Undecided
Unassigned

Bug Description

The newly re-written hpcups in 3.9.10 just crashed for me with a buffer overflow.

All I did was create a queue from hpcups.drv (PPD attached) and print the test page to it. CUPS 1.4.1.

Marking as a security vulnerability as it may well have security implications.

prnt/hpcups/HPCupsFilter.cpp 272: DEBUG: actual_vertical_resolution = 600
prnt/hpcups/HPCupsFilter.cpp 321: HPCUPS: x_top = 150, y_top = 75, offset = 70
*** buffer overflow detected ***: 990C terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x347b0faae7]
/lib64/libc.so.6[0x347b0f8a50]
990C[0x40336f]
990C[0x403a9d]
990C[0x403e6b]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x347b01eb4d]
990C[0x401bd9]
======= Memory map: ========
00400000-00428000 r-xp 00000000 fd:06 29241 /usr/lib/cups/filter/hpcups
00628000-0065c000 rw-p 00028000 fd:06 29241 /usr/lib/cups/filter/hpcups
0065c000-0065d000 rw-p 00000000 00:00 0
01337000-01358000 rw-p 00000000 00:00 0 [heap]
345f600000-345f69a000 r-xp 00000000 fd:06 57725 /usr/lib64/libgnutls.so.26.14.12
345f69a000-345f899000 ---p 0009a000 fd:06 57725 /usr/lib64/libgnutls.so.26.14.12
345f899000-345f8a0000 rw-p 00099000 fd:06 57725 /usr/lib64/libgnutls.so.26.14.12
347ac00000-347ac20000 r-xp 00000000 fd:06 5254 /lib64/ld-2.10.90.so
347ae1f000-347ae20000 r--p 0001f000 fd:06 5254 /lib64/ld-2.10.90.so
347ae20000-347ae21000 rw-p 00020000 fd:06 5254 /lib64/ld-2.10.90.so
347ae21000-347ae22000 rw-p 00000000 00:00 0
347b000000-347b177000 r-xp 00000000 fd:06 24536 /lib64/libc-2.10.90.so
347b177000-347b376000 ---p 00177000 fd:06 24536 /lib64/libc-2.10.90.so
347b376000-347b37a000 r--p 00176000 fd:06 24536 /lib64/libc-2.10.90.so
347b37a000-347b37b000 rw-p 0017a000 fd:06 24536 /lib64/libc-2.10.90.so
347b37b000-347b380000 rw-p 00000000 00:00 0
347b400000-347b418000 r-xp 00000000 fd:06 73116 /lib64/libpthread-2.10.90.so
347b418000-347b617000 ---p 00018000 fd:06 73116 /lib64/libpthread-2.10.90.so
347b617000-347b618000 r--p 00017000 fd:06 73116 /lib64/libpthread-2.10.90.so
347b618000-347b619000 rw-p 00018000 fd:06 73116 /lib64/libpthread-2.10.90.so
347b619000-347b61d000 rw-p 00000000 00:00 0
347b800000-347b802000 r-xp 00000000 fd:06 82754 /lib64/libdl-2.10.90.so
347b802000-347ba02000 ---p 00002000 fd:06 82754 /lib64/libdl-2.10.90.so
347ba02000-347ba03000 r--p 00002000 fd:06 82754 /lib64/libdl-2.10.90.so
347ba03000-347ba04000 rw-p 00003000 fd:06 82754 /lib64/libdl-2.10.90.so
347bc00000-347bc83000 r-xp 00000000 fd:06 33286 /lib64/libm-2.10.90.so
347bc83000-347be82000 ---p 00083000 fd:06 33286 /lib64/libm-2.10.90.so
347be82000-347be83000 r--p 00082000 fd:06 33286 /lib64/libm-2.10.90.so
347be83000-347be84000 rw-p 00083000 fd:06 33286 /lib64/libm-2.10.90.so
347c000000-347c007000 r-xp 00000000 fd:06 73117 /lib64/librt-2.10.90.so
347c007000-347c206000 ---p 00007000 fd:06 73117 /lib64/librt-2.10.90.so
347c206000-347c207000 r--p 00006000 fd:06 73117 /lib64/librt-2.10.90.so
347c207000-347c208000 rw-p 00007000 fd:06 73117 /lib64/librt-2.10.90.so
347c400000-347c415000 r-xp 00000000 fd:06 81058 /lib64/libz.so.1.2.3
347c415000-347c614000 ---p 00015000 fd:06 81058 /lib64/libz.so.1.2.3
347c614000-347c615000 rw-p 00014000 fd:06 81058 /lib64/libz.so.1.2.3
347cc00000-347cc1c000 r-xp 00000000 fd:06 83294 /lib64/libselinux.so.1
347cc1c000-347ce1b000 ---p 0001c000 fd:06 83294 /lib64/libselinux.so.1
347ce1b000-347ce1c000 r--p 0001b000 fd:06 83294 /lib64/libselinux.so.1
347ce1c000-347ce1d000 rw-p 0001c000 fd:06 83294 /lib64/libselinux.so.1
347ce1d000-347ce1e000 rw-p 00000000 00:00 0
347d400000-347d416000 r-xp 00000000 fd:06 83284 /lib64/libresolv-2.10.90.so
347d416000-347d616000 ---p 00016000 fd:06 83284 /lib64/libresolv-2.10.90.so
347d616000-347d617000 r--p 00016000 fd:06 83284 /lib64/libresolv-2.10.90.so
347d617000-347d618000 rw-p 00017000 fd:06 83284 /lib64/libresolv-2.10.90.so
347d618000-347d61a000 rw-p 00000000 00:00 0
347f400000-347f404000 r-xp 00000000 fd:06 73118 /lib64/libcap-ng.so.0.0.0
347f404000-347f603000 ---p 00004000 fd:06 73118 /lib64/libcap-ng.so.0.0.0
347f603000-347f604000 r--p 00003000 fd:06 73118 /lib64/libcap-ng.so.0.0.0
347f604000-347f605000 rw-p 00004000 fd:06 73118 /lib64/libcap-ng.so.0.0.0
347fc00000-347fc3f000 r-xp 00000000 fd:06 73119 /lib64/libdbus-1.so.3.4.0
347fc3f000-347fe3f000 ---p 0003f000 fd:06 73119 /lib64/libdbus-1.so.3.4.0
347fe3f000-347fe40000 r--p 0003f000 fd:06 73119 /lib64/libdbus-1.so.3.4.0
347fe40000-347fe41000 rw-p 00040000 fd:06 73119 /lib64/libdbus-1.so.3.4.0
3480400000-3480426000 r-xp 00000000 fd:06 81363 /usr/lib64/libpng12.so.0.39.0
3480426000-3480625000 ---p 00026000 fd:06 81363 /usr/lib64/libpng12.so.0.39.0
3480625000-3480626000 rw-p 00025000 fd:06 81363 /usr/lib64/libpng12.so.0.39.0
3486c00000-3486d6e000 r-xp 00000000 fd:06 85070 /usr/lib64/libcrypto.so.1.0.0
3486d6e000-3486f6e000 ---p 0016e000 fd:06 85070 /usr/lib64/libcrypto.so.1.0.0
3486f6e000-3486f90000 rw-p 0016e000 fd:06 85070 /usr/lib64/libcrypto.so.1.0.0
3486f90000-3486f94000 rw-p 00000000 00:00 0
3487c00000-3487c2a000 r-xp 00000000 fd:06 84486 /lib64/libk5crypto.so.3.1
3487c2a000-3487e2a000 ---p 0002a000 fd:06 84486 /lib64/libk5crypto.so.3.1
3487e2a000-3487e2c000 rw-p 0002a000 fd:06 84486 /lib64/libk5crypto.so.3.1
3488800000-3488808000 r-xp 00000000 fd:06 84484 /lib64/libkrb5support.so.0.1
3488808000-3488a08000 ---p 00008000 fd:06 84484 /lib64/libkrb5support.so.0.1
3488a08000-3488a09000 rw-p 00008000 fd:06 84484 /lib64/libkrb5support.so.0.1
3489000000-3489002000 r-xp 00000000 fd:06 84480 /lib64/libkeyutils-1.2.so
3489002000-3489201000 ---p 00002000 fd:06 84480 /lib64/libkeyutils-1.2.so
3489201000-3489202000 rw-p 00001000 fd:06 84480 /lib64/libkeyutils-1.2.so
3489c00000-3489c03000 r-xp 00000000 fd:06 84202 /lib64/libgpg-error.so.0.4.0
3489c03000-3489e02000 ---p 00003000 fd:06 84202 /lib64/libgpg-error.so.0.4.0
3489e02000-3489e03000 rw-p 00002000 fd:06 84202 /lib64/libgpg-error.so.0.4.0
348a000000-348a071000 r-xp 00000000 fd:06 84466 /lib64/libgcrypt.so.11.5.2
348a071000-348a271000 ---p 00071000 fd:06 84466 /lib64/libgcrypt.so.11.5.2
348a271000-348a274000 rw-p 00071000 fd:06 84466 /lib64/libgcrypt.so.11.5.2
348a274000-348a275000 rw-p 00000000 00:00 0
348ac00000-348ac24000 r-xp 00000000 fd:06 107847 /usr/lib64/libjpeg.so.62.0.0
348ac24000-348ae23000 ---p 00024000 fd:06 107847 /usr/lib64/libjpeg.so.62.0.0
348ae23000-348ae24000 rw-p 00023000 fd:06 107847 /usr/lib64/libjpeg.so.62.0.0
348b000000-348b010000 r-xp 00000000 fd:06 84028 /usr/lib64/libtasn1.so.3.1.6
348b010000-348b210000 ---p 00010000 fd:06 84028 /usr/lib64/libtasn1.so.3.1.6
348b210000-348b211000 rw-p 00010000 fd:06 84028 /usr/lib64/libtasn1.so.3.1.6
348bc00000-348bc10000 r-xp 00000000 fd:06 85176 /usr/lib64/libavahi-client.so.3.2.5
348bc10000-348be0f000 ---p 00010000 fd:06 85176 /usr/lib64/libavahi-client.so.3.2.5
348be0f000-348be10000 rw-p 0000f000 fd:06 85176 /usr/lib64/libavahi-client.so.3.2.5
348c000000-348c00b000 r-xp 00000000 fd:06 85174 /usr/lib64/libavahi-common.so.3.5.1
348c00b000-348c20b000 ---p 0000b000 fd:06 85174 /usr/lib64/libavahi-common.so.3.5.1
348c20b000-348c20c000 rw-p 0000b000 fd:06 85174 /usr/lib64/libavahi-common.so.3.5.1
348c800000-348c85a000 r-xp 00000000 fd:06 107849 /usr/lib64/libtiff.so.3.8.2
348c85a000-348ca59000 ---p 0005a000 fd:06 107849 /usr/lib64/libtiff.so.3.8.2
348ca59000-348ca5c000 rw-p 00059000 fd:06 107849 /usr/lib64/libtiff.so.3.8.2
3769000000-3769003000 r-xp 00000000 fd:06 78573 /lib64/libcom_err.so.2.1
3769003000-3769202000 ---p 00003000 fd:06 78573 /lib64/libcom_err.so.2.1
3769202000-3769203000 rw-p 00002000 fd:06 78573 /lib64/libcom_err.so.2.1
3769800000-37698b3000 r-xp 00000000 fd:06 78574 /lib64/libkrb5.so.3.3
37698b3000-3769ab3000 ---p 000b3000 fd:06 78574 /lib64/libkrb5.so.3.3
3769ab3000-3769abd000 rw-p 000b3000 fd:06 78574 /lib64/libkrb5.so.3.3
3769c00000-3769c2d000 r-xp 00000000 fd:06 78575 /lib64/libgssapi_krb5.so.2.2
3769c2d000-3769e2d000 ---p 0002d000 fd:06 78575 /lib64/libgssapi_krb5.so.2.2
3769e2d000-3769e2f000 rw-p 0002d000 fd:06 78575 /lib64/libgssapi_krb5.so.2.2
3879400000-3879416000 r-xp 00000000 fd:06 5246 /lib64/libgcc_s-4.4.2-20091027.so.1
3879416000-3879615000 ---p 00016000 fd:06 5246 /lib64/libgcc_s-4.4.2-20091027.so.1
3879615000-3879616000 rw-p 00015000 fd:06 5246 /lib64/libgcc_s-4.4.2-20091027.so.1
3879800000-38798f3000 r-xp 00000000 fd:06 17930 /usr/lib64/libstdc++.so.6.0.13
38798f3000-3879af3000 ---p 000f3000 fd:06 17930 /usr/lib64/libstdc++.so.6.0.13
3879af3000-3879afa000 r--p 000f3000 fd:06 17930 /usr/lib64/libstdc++.so.6.0.13
3879afa000-3879afc000 rw-p 000fa000 fd:06 17930 /usr/lib64/libstdc++.so.6.0.13
3879afc000-3879b11000 rw-p 00000000 00:00 0
7f5535718000-7f553571e000 rw-p 00000000 00:00 0
7f553571e000-7f5535777000 r-xp 00000000 fd:06 76729 /usr/lib64/libfreebl3.so
7f5535777000-7f5535977000 ---p 00059000 fd:06 76729 /usr/lib64/libfreebl3.so
7f5535977000-7f5535978000 rw-p 00059000 fd:06 76729 /usr/lib64/libfreebl3.so
7f5535978000-7f5535981000 rw-p 00000000 00:00 0
7f5535981000-7f5535989000 r-xp 00000000 fd:06 86884 /lib64/libcrypt-2.10.90.so
7f5535989000-7f5535b88000 ---p 00008000 fd:06 86884 /lib64/libcrypt-2.10.90.so
7f5535b88000-7f5535b89000 r--p 00007000 fd:06 86884 /lib64/libcrypt-2.10.90.so
7f5535b89000-7f5535b8a000 rw-p 00008000 fd:06 86884 /lib64/libcrypt-2.10.90.so
7f5535b8a000-7f5535bbd000 rw-p 00000000 00:00 0
7f5535bbd000-7f5535bd5000 r-xp 00000000 fd:06 15645 /usr/lib64/libcupsimage.so.2
7f5535bd5000-7f5535dd5000 ---p 00018000 fd:06 15645 /usr/lib64/libcupsimage.so.2
7f5535dd5000-7f5535dd6000 rw-p 00018000 fd:06 15645 /usr/lib64/libcupsimage.so.2
7f5535dd6000-7f5535e21000 r-xp 00000000 fd:06 3776 /usr/lib64/libcups.so.2
7f5535e21000-7f5536020000 ---p 0004b000 fd:06 3776 /usr/lib64/libcups.so.2
7f5536020000-7f5536025000 rw-p 0004a000 fd:06 3776 /usr/lib64/libcups.so.2
7f5536025000-7f5536026000 rw-p 00000000 00:00 0
7f5536042000-7f5536043000 rw-p 00000000 00:00 0
7fffcbd34000-7fffcbd49000 rw-p 00000000 00:00 0 [stack]
7fffcbd91000-7fffcbd92000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

Revision history for this message
Tim Waugh (twaugh) wrote :
Revision history for this message
Tim Waugh (twaugh) wrote :

Making public now, as it is already public here:
  https://bugzilla.redhat.com/show_bug.cgi?id=544297

visibility: private → public
Revision history for this message
js (solard3ity-deactivatedaccount-deactivatedaccount) wrote :

New Version hplip-3.9.12 in my repositoy, hp changelog says this bug is fixed
Please try it out!

Link : https://launchpad.net/~solard3ity/+archive/official

Changed in hplip:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.