Comment 2 for bug 298241

no problem. thanks!

On Wed, Nov 19, 2008 at 6:59 PM, Kees Cook <email address hidden> wrote:
> ** Visibility changed to: Public
>
> --
> Apple CUPS Daemon: unauthenticated SIGSEGV crash via RSS subscriptions
> https://bugs.launchpad.net/bugs/298241
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in "cups" source package in Ubuntu: New
>
> Bug description:
> Binary package hint: cups
>
> The CUPS daemon (/usr/sbin/cupsd) which listens by default on port 631/tcp, crashes when more than 100 RSS Subscriptions are added. No authentication is required to perform such action. The caveat is that by default - at least on Ubuntu and openSuse - the daemon only accepts connections from localhost as specified by the default configuration settings (/etc/cups/cupsd.conf). However, the attack can be of remote nature by tricking the victim user to visit a specially-crafted page. Such page would forge the 'add rss subscription' request 101 times which causes the CUPS daemon to crash.
>
> The CUPS daemon runs by default on Ubuntu, openSuse and probably other GNU/Linux distributions. Additionally, this vulnerability can be replicated against CUPS daemons using default settings. Since no authentication is required to add new RSS subscriptions, the CUPS administrator does not need to be logged in during exploitation.
>
> It is not known whether the crash can lead to command execution, further debugging/investigation is required. However, the daemon runs as root on both Ubuntu and openSuse (and probably other distributions), which means that given that command execution is possible, this bug would lead to a full compromise of the targeted system.
>
> _Please see the attached file for more details._
>

--
Adrian 'pagvac' Pastor | GNUCITIZEN | gnucitizen.org
PGP Key ID: 0x6B232C7C