From dm@home3.dinoex.sub.de  Fri Jun 18 17:13:33 2010
Return-Path: <dm@home3.dinoex.sub.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9F003106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 18 Jun 2010 17:13:33 +0000 (UTC)
	(envelope-from dm@home3.dinoex.sub.de)
Received: from uucp.dinoex.sub.de (uucp.dinoex.sub.de [194.45.71.2])
	by mx1.freebsd.org (Postfix) with ESMTP id DAEA08FC17
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 18 Jun 2010 17:13:32 +0000 (UTC)
Received: from home3.dinoex.sub.de (home3.dinoex.sub.de [194.45.71.20])
	by uucp.dinoex.sub.de (8.14.4/8.14.2) with ESMTP id o5IHD4Gs087799
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 18 Jun 2010 19:13:20 +0200 (CEST)
	(envelope-from dm@home3.dinoex.sub.de)
Received: (from dm@localhost)
	by home3.dinoex.sub.de (8.14.4/8.14.4/Submit) id o5IHD6Ex043188;
	Fri, 18 Jun 2010 19:13:06 +0200 (CEST)
	(envelope-from dm)
Message-Id: <201006181713.o5IHD6Ex043188@home3.dinoex.sub.de>
Date: Fri, 18 Jun 2010 19:13:06 +0200 (CEST)
From: dirk.meyer@dinoex.sub.org
Reply-To: dirk.meyer@dinoex.sub.org
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: print/cups-base CVE-2010-0302
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         147978
>Category:       ports
>Synopsis:       print/cups-base CVE-2010-0302
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    dinoex
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 18 17:20:03 UTC 2010
>Closed-Date:    Sat Jun 19 14:28:27 CEST 2010
>Last-Modified:  Sat Jun 19 14:28:27 CEST 2010
>Originator:     Dirk Meyer
>Release:        FreeBSD 8.1-PRERELEASE
>Organization:
privat
>Environment:

>Description:

Use-after-free vulnerability in the abstract file-descriptor handling
interface in the cupsdDoSelect function in scheduler/select.c in the
scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when kqueue
or epoll is used, allows remote attackers to cause a denial of service
(daemon crash or hang) via a client disconnection during listing of a
large number of print jobs, related to improperly maintaining a
reference count. NOTE: some of these details are obtained from third
party information. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2009-3553.

http://www.cups.org/articles.php?L596
http://secunia.com/advisories/cve_reference/CVE-2010-0302/

	The code of the shared libs is not affected.
	Therefor the Fix is not urgent.

>How-To-Repeat:

	Update needs appoval from portmrg@

>Fix:

	Please approve one of the patche below.

	a) small fix to fix the vulnerability

	b) update to 1.4.4
	Impact: dependend packages will need a rebuild,
	to have the new version number recorden in dependency.

a)
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/print/cups-base/Makefile,v
retrieving revision 1.141
diff -u -r1.141 Makefile
--- Makefile	5 Jun 2010 19:53:31 -0000	1.141
+++ Makefile	18 Jun 2010 17:06:07 -0000
@@ -89,6 +89,7 @@
 PKGMESSAGE=	${NONEXISTENT}
 DESCR=		${MASTERDIR}/pkg-descr.image
 .else
+PORTREVISION=	1
 CONFLICTS+=	cupsddk-*
 CUPS_SUFFIX=	-base
 LIB_DEPENDS+=	cups.2:${PORTSDIR}/${PKGCATEGORY}/cups-client \
Index: files/patch-CVE-2009-3553
===================================================================
RCS file: files/patch-CVE-2009-3553
diff -N files/patch-CVE-2009-3553
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-CVE-2009-3553	18 Jun 2010 17:06:07 -0000
@@ -0,0 +1,36 @@
+From b6b656f4b431574069d5b17dc6d3d44910269bb9 Mon Sep 17 00:00:00 2001
+From: Tim Waugh <twaugh@redhat.com>
+Date: Wed, 3 Feb 2010 16:07:11 +0000
+Subject: [PATCH] More complete fix for CVE-2009-3553.
+
+---
+ scheduler/select.c |    6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/scheduler/select.c b/scheduler/select.c
+index 21a6edc..a2451a5 100644
+--- scheduler/select.c
++++ scheduler/select.c
+@@ -454,7 +454,8 @@ cupsdDoSelect(long timeout)		/* I - Timeout in seconds */
+     if (fdptr->read_cb && event->filter == EVFILT_READ)
+       (*(fdptr->read_cb))(fdptr->data);
+ 
+-    if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE)
++    if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE &&
++        !cupsArrayFind(cupsd_inactive_fds, fdptr))
+       (*(fdptr->write_cb))(fdptr->data);
+ 
+     release_fd(fdptr);
+@@ -500,7 +501,8 @@ cupsdDoSelect(long timeout)		/* I - Timeout in seconds */
+ 	  (*(fdptr->read_cb))(fdptr->data);
+ 
+ 	if (fdptr->use > 1 && fdptr->write_cb &&
+-	    (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)))
++            (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) &&
++            !cupsArrayFind(cupsd_inactive_fds, fdptr))
+ 	  (*(fdptr->write_cb))(fdptr->data);
+ 
+ 	release_fd(fdptr);
+-- 
+1.6.6
+

b)
diff -ur --exclude=CVS --exclude=Makefile.local ./Makefile /usr/ports/current/cups-base/Makefile
--- ./Makefile	2010-06-18 19:05:30.000000000 +0200
+++ /usr/ports/current/cups-base/Makefile	2010-06-18 13:18:21.000000000 +0200
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	cups
-PORTVERSION=	1.4.3
+PORTVERSION=	1.4.4
 DISTVERSIONSUFFIX=	-source
 PORTREVISION=	0
 CATEGORIES=	print
diff -ur --exclude=CVS --exclude=Makefile.local ./distinfo /usr/ports/current/cups-base/distinfo
--- ./distinfo	2010-04-02 05:47:19.000000000 +0200
+++ /usr/ports/current/cups-base/distinfo	2010-06-18 13:18:45.000000000 +0200
@@ -1,3 +1,3 @@
-MD5 (cups-1.4.3-source.tar.bz2) = e70b1c3f60143d7310c1d74c111a21ab
-SHA256 (cups-1.4.3-source.tar.bz2) = 47a559b1c50192b94479ae7dab132ea0008727045d4993501cf0a6df0c64db97
-SIZE (cups-1.4.3-source.tar.bz2) = 4461101
+MD5 (cups-1.4.4-source.tar.bz2) = 8776403ad60fea9e85eab9c04d88560d
+SHA256 (cups-1.4.4-source.tar.bz2) = d25ffa35add3abeeec0eba60be2cffc89425b649c64ef3a73dfc724683a59aa3
+SIZE (cups-1.4.4-source.tar.bz2) = 4472741

>Release-Note:
>Audit-Trail:
Class-Changed-From-To: maintainer-update->change-request 
Class-Changed-By: edwin 
Class-Changed-When: Fri Jun 18 17:20:23 UTC 2010 
Class-Changed-Why:  
Fix category (submitter is not maintainer) (via the GNATS Auto Assign 
Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147978 
Responsible-Changed-From-To: freebsd-ports-bugs->dinoex 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Fri Jun 18 17:20:27 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147978 
Responsible-Changed-From-To: dinoex->portmgr 
Responsible-Changed-By: dinoex 
Responsible-Changed-When: Fri Jun 18 19:31:37 CEST 2010 
Responsible-Changed-Why:  
freeze, awaiting deciion from portmgr 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147978 
Responsible-Changed-From-To: portmgr->dinoex 
Responsible-Changed-By: erwin 
Responsible-Changed-When: Fri Jun 18 20:37:21 UTC 2010 
Responsible-Changed-Why:  
Approved to fix the mentioned security vulnerabilities. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147978 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/147978: commit references a PR
Date: Sat, 19 Jun 2010 04:09:45 +0000 (UTC)

 dinoex      2010-06-19 04:09:32 UTC
 
   FreeBSD ports repository
 
   Modified files:
     print/cups-base      Makefile 
   Added files:
     print/cups-base/files patch-CVE-2009-3553 
   Log:
   - Security update to 1.4.4
   - Security fix for deny of service vulnerability
   Security: CVE-2009-3553
   Security: CVE-2010-0302
   PR:             147978
   Approved by:    portmgr (erwin)
   Feature safe:   yes
   
   Revision  Changes    Path
   1.142     +1 -0      ports/print/cups-base/Makefile
   1.1       +36 -0     ports/print/cups-base/files/patch-CVE-2009-3553 (new)
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: dinoex 
State-Changed-When: Sat Jun 19 14:28:03 CEST 2010 
State-Changed-Why:  
a) committed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147978 
>Unformatted:
