__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Updated CUPS/PDF (and teTeX-bin) Packages Fix Security Issues [RHSA-2004:543-15] October 22, 2004 17:00 GMT Number P-019 [REVISED 27 Oct 2004] [REVISED 28 Oct 2004] [REVISED 02 Nov 2004] [REVISED 12 Nov 2004] [REVISED 29 Nov 2004] [REVISED 22 Feb 2005] ______________________________________________________________________________ PROBLEM: There are several vulnerabilities in CUPS (also xpdf and teTeX): 1) A number of integer overflow bugs that affect xpdf and teTeX-bin; 2) When set up to print to a shared printer via Samba, CUPS would authenticate with the shared printer using a username and password. By default, the username and password used to connect to the Samba share is written into the error log file. PLATFORM: Red Hat Desktop (v.3) & (v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1 and v.3) & (v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 1 Debian GNU/Linux 3.0 (woody) DAMAGE: 1) An attacker who has the ability to send malicious PDF file to a printer could cause CUPS to crash or possibly execute arbitrary code; 2) A local user who is able to read the error log file could collect these usernames and passwords. SOLUTION: Upgrade to the appropriate packages. ______________________________________________________________________________ VULNERABILITY The risk is LOW. A local attacker could disrupt the local print ASSESSMENT: service. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-019.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-543.html ADDITIONAL LINKS: - https://rhn.redhat.com/errata/RHSA-2004-592.html - SGI Security Advisory #20041004-01-U SGI Advanced Linux Environment 3 Security Update #16 ftp://patches.sgi.com/support/free/security/advisories/20041004-01-U.asc - Debian Advisory DSA 581-1 http://www.debian.org/security/2004/dsa-581 - Debian Advisory DSA 599-1 (teTeX-bin packages) http://www.debian.org/security/2004/dsa-599 - SGI Security Advisory #20041102-01-U SGI Advanced Linux Environment 3 Security Update #17 http://www.sgi.com/support/security/advisories.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0888 CAN-2004-0923 ______________________________________________________________________________ REVISION HISTORY: 10/27/2004 - Added link to RHSA-2004:592-07 providing updated xpdf packages for Red Hat Enterprise Linux AS, ES, WS v.2.1 and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processors. 10/28/2004 - Added a link to SGI Security Advisory 20041004-01-U that provides Patch 10112 for SGI ProPack 3 Service Pack 1 addressing this vulnerability. 11/02/2004 - Added link to Debian Security Advisory 581 for their update information. 11/12/2004 - Added a link to SGI Security Advisory #20041102-01-U, SGI Advanced Linux Environment 3 Security Update #17 for Patch 10117 for SGI ProPack 3 Service Pack 1. 11/29/2004 - Added link to Debian Advisory DSA-599-1 for teTeX-bin updated packages. 02/22/2005 - added a link to Red Hat Security Advisory RHSA-2005:066-12 for Red Hat Desktop (v. 4) and Red Hat Enterprise Linux AS, ES, WS (v. 4). [***** Start RHSA-2004:543-15 *****] Updated CUPS packages fix security issues Advisory: RHSA-2004:543-15 Last updated on: 2004-10-22 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2004-0888 CAN-2004-0923 Security Advisory Details: Updated cups packages that fix denial of service issues, a security information leak, as well as other various bugs are now available. The Common UNIX Printing System (CUPS) is a print spooler. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect xpdf. CUPS contains a copy of the xpdf code used for parsing PDF files and is therefore affected by these bugs. An attacker who has the ability to send a malicious PDF file to a printer could cause CUPS to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0888 to this issue. When set up to print to a shared printer via Samba, CUPS would authenticate with that shared printer using a username and password. By default, the username and password used to connect to the Samba share is written into the error log file. A local user who is able to read the error log file could collect these usernames and passwords. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0923 to this issue. These updated packages also include a fix that prevents some CUPS configuration files from being accidentally replaced. All users of CUPS should upgrade to these updated packages, which resolve these issues. Updated packages: Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- AMD64: cups-1.1.17-13.3.16.x86_64.rpm 2909c8b13ebabafe4f9832e571452226 cups-devel-1.1.17-13.3.16.x86_64.rpm 351a15fe066f9650c293d91d5edca0d8 cups-libs-1.1.17-13.3.16.x86_64.rpm d3dddda473fe262daea7770ad1c6b6b2 SRPMS: cups-1.1.17-13.3.16.src.rpm 5115ddbfb412786152b559c645008d04 i386: cups-1.1.17-13.3.16.i386.rpm ba0ce8b3a0e6f96f65e805b18abb9710 cups-devel-1.1.17-13.3.16.i386.rpm 15cc19fff26090f2ac2a3ae9fe8edade cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- AMD64: cups-1.1.17-13.3.16.x86_64.rpm 2909c8b13ebabafe4f9832e571452226 cups-devel-1.1.17-13.3.16.x86_64.rpm 351a15fe066f9650c293d91d5edca0d8 cups-libs-1.1.17-13.3.16.x86_64.rpm d3dddda473fe262daea7770ad1c6b6b2 SRPMS: cups-1.1.17-13.3.16.src.rpm 5115ddbfb412786152b559c645008d04 i386: cups-1.1.17-13.3.16.i386.rpm ba0ce8b3a0e6f96f65e805b18abb9710 cups-devel-1.1.17-13.3.16.i386.rpm 15cc19fff26090f2ac2a3ae9fe8edade cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 ia64: cups-1.1.17-13.3.16.ia64.rpm c8b90a470b68b58fed2e82e570f5ee92 cups-devel-1.1.17-13.3.16.ia64.rpm e6eac12d4a04cc3f2f78d5bcf04b3225 cups-libs-1.1.17-13.3.16.ia64.rpm ca472cbe2195dbc118ccfbc05644da0f ppc: cups-1.1.17-13.3.16.ppc.rpm e6c4b39d457d9b9877fe95b6fe1dbec4 cups-devel-1.1.17-13.3.16.ppc.rpm d7a9f13c7cc6c53322c66548ad8c76de cups-libs-1.1.17-13.3.16.ppc.rpm 1c0013991559da5dcdff753e0fa29fed ppc64: cups-libs-1.1.17-13.3.16.ppc64.rpm 2d58c7b4af3581b720c315d4acc88caa s390: cups-1.1.17-13.3.16.s390.rpm 3f8e4d1f0acb1e63cacb04a31d33be7e cups-devel-1.1.17-13.3.16.s390.rpm 9f65609293cab71c27bab23b4766e376 cups-libs-1.1.17-13.3.16.s390.rpm 9b3323c103753b3c97ac6543f73113f1 cups-libs-1.1.17-13.3.16.s390.rpm 9b3323c103753b3c97ac6543f73113f1 s390x: cups-1.1.17-13.3.16.s390x.rpm 9276fbed4537149de825126e43165244 cups-devel-1.1.17-13.3.16.s390x.rpm 276335bb8d2b6b204ce69c478d708f85 cups-libs-1.1.17-13.3.16.s390x.rpm 56bedea0c9cbabdc50d2f4a1fdf63389 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- AMD64: cups-1.1.17-13.3.16.x86_64.rpm 2909c8b13ebabafe4f9832e571452226 cups-devel-1.1.17-13.3.16.x86_64.rpm 351a15fe066f9650c293d91d5edca0d8 cups-libs-1.1.17-13.3.16.x86_64.rpm d3dddda473fe262daea7770ad1c6b6b2 SRPMS: cups-1.1.17-13.3.16.src.rpm 5115ddbfb412786152b559c645008d04 i386: cups-1.1.17-13.3.16.i386.rpm ba0ce8b3a0e6f96f65e805b18abb9710 cups-devel-1.1.17-13.3.16.i386.rpm 15cc19fff26090f2ac2a3ae9fe8edade cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 ia64: cups-1.1.17-13.3.16.ia64.rpm c8b90a470b68b58fed2e82e570f5ee92 cups-devel-1.1.17-13.3.16.ia64.rpm e6eac12d4a04cc3f2f78d5bcf04b3225 cups-libs-1.1.17-13.3.16.ia64.rpm ca472cbe2195dbc118ccfbc05644da0f Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- AMD64: cups-1.1.17-13.3.16.x86_64.rpm 2909c8b13ebabafe4f9832e571452226 cups-devel-1.1.17-13.3.16.x86_64.rpm 351a15fe066f9650c293d91d5edca0d8 cups-libs-1.1.17-13.3.16.x86_64.rpm d3dddda473fe262daea7770ad1c6b6b2 SRPMS: cups-1.1.17-13.3.16.src.rpm 5115ddbfb412786152b559c645008d04 i386: cups-1.1.17-13.3.16.i386.rpm ba0ce8b3a0e6f96f65e805b18abb9710 cups-devel-1.1.17-13.3.16.i386.rpm 15cc19fff26090f2ac2a3ae9fe8edade cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 cups-libs-1.1.17-13.3.16.i386.rpm f9c322a11ba0b571dd986dac596fe9e3 ia64: cups-1.1.17-13.3.16.ia64.rpm c8b90a470b68b58fed2e82e570f5ee92 cups-devel-1.1.17-13.3.16.ia64.rpm e6eac12d4a04cc3f2f78d5bcf04b3225 cups-libs-1.1.17-13.3.16.ia64.rpm ca472cbe2195dbc118ccfbc05644da0f (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 132034 - mime.types was updated - not copied to mime.types.rpmnew 134599 - CAN-2004-0923 Log file information disclosure 135378 - CAN-2004-0888 xpdf issues affect cups 99461 - cups configuration References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0923 -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End RHSA-2004:543-15 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-009: Microsoft Excel Vulnerability Could Allow Remote Code Execution P-010: Microsoft Compressed (Zipped) Folders Vulnerability P-011: Microsoft Vulnerability in NetDDE Could Allow Remote Code Execution (841533) P-012: Microsoft Vulnerability in NNTP Could Allow Remote Code Execution (883935) P-013: Macromedia JRun Server Vulnerabilities P-014: CUPS Information Leak P-015: Libtiff Vulnerabilities P-016: Sun FTP Daemon of Heimdal is Vulnerable to Race Conditions P-017: Sun Security Vulnerability When Using LDAP in Conjunction with RBAC P-018: Red Hat Update MySQL Packages Fix Security Issues and Bugs