diff options
| author | Jacques Vidrine <nectar@FreeBSD.org> | 2005-01-17 13:42:10 +0000 |
|---|---|---|
| committer | Jacques Vidrine <nectar@FreeBSD.org> | 2005-01-17 13:42:10 +0000 |
| commit | 1affd53e40034159137c68ef8db7265c14570482 (patch) | |
| tree | 5d8d8c372cf8ebd2fd3633319a3b52e8a7362931 /security | |
| parent | - Update to 0.6.8 (diff) | |
Regarding CUPS lppasswd entry: Add the CVE names for each issue inline
with the excerpt from Bernstein's message. Note that the third issue
does not effect users of FreeBSD 4.6 or later.
Notes
Notes:
svn path=/head/; revision=126641
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 2158c36f68a2..060fc77ac836 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -45,17 +45,20 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. <body xmlns="http://www.w3.org/1999/xhtml"> <p>D. J. Bernstein reports that Bartlomiej Sieka has discovered several security vulnerabilities in lppasswd, - which is part of CUPS:</p> + which is part of CUPS. In the following excerpt from + Bernstein's email, CVE names have been added for each issue:</p> <blockquote cite="http://tigger.uic.edu/~jlongs2/holes/cups2.txt"> <p>First, lppasswd blithely ignores write errors in fputs(line,outfile) at lines 311 and 315 of lppasswd.c, and in fprintf(...) at line 346. An attacker who fills up the disk at the right moment can arrange for - /usr/local/etc/cups/passwd to be truncated.</p> + /usr/local/etc/cups/passwd to be truncated. + <em>(CAN-2004-1268)</em></p> <p>Second, if lppasswd bumps into a file-size resource limit while writing passwd.new, it leaves passwd.new in place, disabling all subsequent invocations of lppasswd. Any - local user can thus disable lppasswd...</p> + local user can thus disable lppasswd... + <em>(CAN-2004-1269)</em></p> <p>Third, line 306 of lppasswd.c prints an error message to stderr but does not exit. This is not a problem on systems that ensure that file descriptors 0, 1, and 2 are open for @@ -63,8 +66,12 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. lppasswd does not check that passwd.new is different from stderr, so it ends up writing a user-controlled error message to passwd if the user closes file descriptor - 2.</p> + 2. <em>(CAN-2004-1270)</em></p> </blockquote> + <p><strong>Note:</strong> The third issue, CAN-2004-1270, does + not affect FreeBSD 4.6-RELEASE or later systems, as these + systems ensure that the file descriptors 0, 1, and 2 are + always open for set-user-ID and set-group-ID programs.</p> </body> </description> <references> |