foomatic-combo-xml Buffer Overflow

Bug #783603 reported by Emanuel Bronshtein
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
foomatic-db-engine (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: foomatic-db-engine

/usr/bin/foomatic-combo-xml write data given by parameters to fixed char[1024] with sprintf which can trigger buffer overflow .

test case :
emanuel@emanuel-desktop:/tmp$ foomatic-combo-xml -l `python -c "print 'A'*1007"`
*** buffer overflow detected ***: foomatic-combo-xml terminated
emanuel@emanuel-desktop:/tmp$ foomatic-combo-xml -p `python -c "print 'A'*244"` -d 1
*** buffer overflow detected ***: foomatic-combo-xml terminated
emanuel@emanuel-desktop:/tmp$ foomatic-combo-xml -p 1 -d `python -c "print 'A'*983"`
*** buffer overflow detected ***: foomatic-combo-xml terminated

the bug can be found at :
sprintf(printerfilename, "%s/db/source/printer/%s.xml",
        libdir, pid);
sprintf(driverfilename, "%s/db/source/driver/%s.xml",
        libdir, driver);
sprintf(optiondirname, "%s/db/source/opt",
        libdir);

sprintf(driverdirname, "%s/db/source/driver",
        libdir);
sprintf(printerdirname, "%s/db/source/printer",
        libdir);

sprintf(optionfilename, "%s/db/source/opt/%s",
        libdir, direntry->d_name);

fix :
replace sprintf to snprintf.

visibility: private → public
Kees Cook (kees)
security vulnerability: yes → no
Changed in foomatic-db-engine (Ubuntu):
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report! Since Ubuntu already uses FORTIFY[1], these are already snprintf, and result in just an abort instead of an exploitable overflow.

[1] https://wiki.ubuntu.com/CompilerFlags

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

The C accelerators foomatic-combo-xml and foomatic-perl-data will be removed in Foomatic 4.1.x (scheduled for Ubuntu 12.10). In addition, foomatic-ppdfile is usually not manually called by the user and if a printer setup tool or CUPS calls it, then it uses reasonable printer and driver names which never exceed 1024 characters, as well as if an admin calls it. Therefore the crash will not appear in normal situations.

Closing ...

Changed in foomatic-db-engine (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.