Debian Bug report logs - #284501
/usr/sbin/cupsd: Denial of service via UDP socket

version graph

Package: cupsys; Maintainer for cupsys is (unknown);

Reported by: Colin Phipps <cph@cph.demon.co.uk>

Date: Mon, 6 Dec 2004 20:48:05 UTC

Severity: normal

Tags: patch, security

Found in version 1.1.20final+rc1-10

Done: Martin Pitt <mpitt@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Kenshi Muto <kmuto@debian.org>:
Bug#284501; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Colin Phipps <cph@cph.demon.co.uk>:
New Bug report received and forwarded. Copy sent to Kenshi Muto <kmuto@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Colin Phipps <cph@cph.demon.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/sbin/cupsd: Denial of service via UDP socket
Date: Mon, 6 Dec 2004 20:39:26 +0000
Package: cupsys
Version: 1.1.20final+rc1-10
Severity: normal
File: /usr/sbin/cupsd
Tags: security patch

Linux select(2) is not POSIX compliant; select can report that a socket
has data to read when it does not. This is so in kernel series 2.6.x and
possibly earlier versions. If an application wants non-blocking
behaviour on Linux, it must set O_NONBLOCK on the file handle. See the
thread on LKML <http://marc.theaimsgroup.com/?t=109707457000003&r=7> .

select can return true but there is no data available if e.g. a packet
with a bad checksum is received from the network. So cupsd can be easily
hung by sending a UDP packet with a bad checksum to UDP port 631:

(from a remote machine)
# hping2 -2 -c 1 -p 631 -b -d 4 <target-machine>

and cupsd does:
select(1024, [0 2 3], [], NULL, {31, 0}) = 1 (in [2], left {8, 913000})
recvfrom(2, 

...and hangs, waiting for data that isn't there. It can then be easily
checked that cupsd is completely unresponsive, and remains so until a
UDP packet is received or the service is restarted.

If cupsd wants not to block on UDP traffic, it should mark the UDP
socket as non-blocking:

--- cupsys-1.1.20final+rc1/scheduler/dirsvc.c	2004-05-27 19:04:32.000000000 +0100
+++ cupsys-1.1.20final+rc1-cph1/scheduler/dirsvc.c	2004-12-06 20:31:14.000000000 +0000
@@ -776,6 +776,29 @@ StartBrowsing(void)
       return;
     }
 
+    /* cph 2004/12/06 - set non-blocking, we want to use multiplex using select(2) and must never get stuck reading this socket. */
+    {
+      int flags = fcntl(BrowseSocket, F_GETFL);
+      if (flags != -1) {
+        flags |= O_NONBLOCK;
+	flags = fcntl(BrowseSocket, F_SETFL, flags);
+      }
+      if (flags == -1) {
+        LogMessage(L_ERROR, "StartBrowsing: Unable to set non-blocking mode - %s.",
+        	 strerror(errno));
+
+#ifdef WIN32
+	closesocket(BrowseSocket);
+#else
+	close(BrowseSocket);
+#endif /* WIN32 */
+
+	BrowseSocket    = -1;
+	BrowseProtocols &= ~BROWSE_CUPS;
+	return;
+      }
+    }
+
    /*
     * Bind the socket to browse port...
     */
@@ -1127,7 +1150,7 @@ UpdateCUPSBrowse(void)
     * error here and ignore it for now...
     */
 
-    if (errno != ECONNREFUSED)
+    if (errno != ECONNREFUSED && errno != EAGAIN)
     {
       LogMessage(L_ERROR, "Browse recv failed - %s.", strerror(errno));
       LogMessage(L_ERROR, "Browsing turned off.");

(given only limited testing, to verify that it fixes the bug - I haven't
verified the error path.)

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1-cph2
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages cupsys depends on:
ii  adduser               3.59               Add and remove users and groups
ii  debconf               1.4.30.10          Debian configuration management sy
ii  gs-esp                7.07.1-9           The Ghostscript PostScript interpr
ii  libc6                 2.3.2.ds1-18       GNU C Library: Shared libraries an
ii  libcupsimage2         1.1.20final+rc1-10 Common UNIX Printing System(tm) - 
ii  libcupsys2-gnutls10   1.1.20final+rc1-10 Common UNIX Printing System(tm) - 
ii  libgcc1               1:3.4.2-2          GCC support library
ii  libgnutls11           1.0.16-9           GNU TLS library - runtime library
ii  libpam0g              0.76-22            Pluggable Authentication Modules l
ii  libpaper1             1.1.14-3           Library for handling paper charact
ii  libslp1               1.0.11-7           OpenSLP libraries
ii  patch                 2.5.9-2            Apply a diff file to an original
ii  zlib1g                1:1.2.2-3          compression library - runtime

-- debconf information:
  cupsys/raw-print: true
  cupsys/backend: ipp, lpd, parallel, socket, usb

-- 
Colin Phipps <cph@cph.demon.co.uk>



Information forwarded to debian-bugs-dist@lists.debian.org, Kenshi Muto <kmuto@debian.org>:
Bug#284501; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Kenshi Muto <kmuto@debian.org>. Full text and rfc822 format available.

Message #10 received at 284501@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Colin Phipps <cph@cph.demon.co.uk>
Cc: 284501@bugs.debian.org
Subject: Re: Bug#284501: /usr/sbin/cupsd: Denial of service via UDP socket
Date: Tue, 07 Dec 2004 16:31:19 +0100
* Colin Phipps:

> Linux select(2) is not POSIX compliant; select can report that a socket
> has data to read when it does not. This is so in kernel series 2.6.x and
> possibly earlier versions. If an application wants non-blocking
> behaviour on Linux, it must set O_NONBLOCK on the file handle. See the
> thread on LKML <http://marc.theaimsgroup.com/?t=109707457000003&r=7> .

This should be fixed in the kernel.  Patching each application
individually is not the right thing to do.



Information forwarded to debian-bugs-dist@lists.debian.org, Kenshi Muto <kmuto@debian.org>:
Bug#284501; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Colin Phipps <cph@cph.demon.co.uk>:
Extra info received and forwarded to list. Copy sent to Kenshi Muto <kmuto@debian.org>. Full text and rfc822 format available.

Message #15 received at 284501@bugs.debian.org (full text, mbox):

From: Colin Phipps <cph@cph.demon.co.uk>
To: Florian Weimer <fw@deneb.enyo.de>, 284501@bugs.debian.org
Subject: Re: Bug#284501: /usr/sbin/cupsd: Denial of service via UDP socket
Date: Tue, 7 Dec 2004 21:09:05 +0000
On Tue, Dec 07, 2004 at 04:31:19PM +0100, Florian Weimer wrote:
> * Colin Phipps:
> > Linux select(2) is not POSIX compliant; select can report that a socket
> > has data to read when it does not. This is so in kernel series 2.6.x and
> > possibly earlier versions. If an application wants non-blocking
> > behaviour on Linux, it must set O_NONBLOCK on the file handle. See the
> > thread on LKML <http://marc.theaimsgroup.com/?t=109707457000003&r=7> .
> 
> This should be fixed in the kernel.  Patching each application
> individually is not the right thing to do.

This is the kernel's deliberately chosen and documented behaviour (see
the O_NONBLOCK comment in select(2) (from the latest manpages) and
considerable discussion on LKML). It's not a question of a fix, since
the existing behaviour is reasonable, even if it's not convenient for
some applications. Debian is a Linux distribution, so it's applications
should be written to Linux's documented API.

If you want the Linux select behaviour changed, try asking LKML. I,
amongst others, have asked that the behaviour be introduced only after
applications were fixed, but we were rebuffed. In any case since both
2.6.x and most of 2.4.x behave this way, this behaviour will be around
for a while even if they were persuaded to change it.

For some applications it makes a difference - some applications rely on
doing select to multiplex among multiple sockets which are then read
synchronously. As far as I can tell cups does not have this problem - it
is only interested in reading UDP packets when they arrive, it never
wants to wait only for UDP packets - so it can just use O_NONBLOCK for
its UDP socket and it gets the exact behaviour it wants.

For arguments in favour both of the behaviour and of applications
supporting it, see from that thread:
http://marc.theaimsgroup.com/?l=linux-kernel&m=109717818710529&w=2
http://marc.theaimsgroup.com/?l=linux-kernel&m=109718843012456&w=2
http://marc.theaimsgroup.com/?l=linux-kernel&m=109790079301554&w=2

--
Colin Phipps <cph@cph.demon.co.uk>



Information forwarded to debian-bugs-dist@lists.debian.org, Kenshi Muto <kmuto@debian.org>:
Bug#284501; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Kenshi Muto <kmuto@debian.org>. Full text and rfc822 format available.

Message #20 received at 284501@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Colin Phipps <cph@cph.demon.co.uk>
Cc: 284501@bugs.debian.org
Subject: Re: Bug#284501: /usr/sbin/cupsd: Denial of service via UDP socket
Date: Sun, 12 Dec 2004 14:09:47 +0100
* Colin Phipps:

> On Tue, Dec 07, 2004 at 04:31:19PM +0100, Florian Weimer wrote:
>> * Colin Phipps:
>> > Linux select(2) is not POSIX compliant; select can report that a socket
>> > has data to read when it does not. This is so in kernel series 2.6.x and
>> > possibly earlier versions. If an application wants non-blocking
>> > behaviour on Linux, it must set O_NONBLOCK on the file handle. See the
>> > thread on LKML <http://marc.theaimsgroup.com/?t=109707457000003&r=7> .
>> 
>> This should be fixed in the kernel.  Patching each application
>> individually is not the right thing to do.
>
> This is the kernel's deliberately chosen and documented behaviour

Documented? 8-)

Anyway, it's been changed:

<http://linux.bkbits.net:8080/linux-2.5/cset@41ad55f4lM2IigkTUmtz82At8P3duA?nav=index.html|ChangeSet@-2w>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#284501; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to "Martin-Éric Racine" <q-funk@iki.fi>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 284501@bugs.debian.org (full text, mbox):

From: "Martin-Éric Racine" <q-funk@iki.fi>
To: 398081@bugs.debian.org, 190135@bugs.debian.org, 201553@bugs.debian.org, 220642@bugs.debian.org, 280236@bugs.debian.org, 283581@bugs.debian.org, 284501@bugs.debian.org, 284575@bugs.debian.org, 288784@bugs.debian.org, 325561@bugs.debian.org, 353763@bugs.debian.org, 354579@bugs.debian.org, 354581@bugs.debian.org, 354590@bugs.debian.org, 369563@bugs.debian.org, 384448@bugs.debian.org, 399367@bugs.debian.org, 414299@bugs.debian.org, 283484@bugs.debian.org, 189705@bugs.debian.org, 200638@bugs.debian.org, 281974@bugs.debian.org, 282235@bugs.debian.org, 285332@bugs.debian.org, 286127@bugs.debian.org, 372133@bugs.debian.org, 423943@bugs.debian.org
Subject: [Debian QA] please review your old bug reports against CUPS
Date: Sat, 14 Jul 2007 11:57:04 +0300
Dear Debian user,

You are receiving this e-mail because you have filed a bug report
against an old version of CUPS that is no longer available in any
current Debian release.

Please review your bug report and inform us whether it still applies
to version 1.2.7-4, as present in Debian release 4.0 (Etch), or to
newer releases present in the testing branch.

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Message sent on to Colin Phipps <cph@cph.demon.co.uk>:
Bug#284501. Full text and rfc822 format available.

Message #28 received at 284501-submitter@bugs.debian.org (full text, mbox):

From: "Martin-Éric Racine" <q-funk@iki.fi>
To: 398081-submitter@bugs.debian.org, 190135-submitter@bugs.debian.org, 201553-submitter@bugs.debian.org, 220642-submitter@bugs.debian.org, 280236-submitter@bugs.debian.org, 283581-submitter@bugs.debian.org, 284501-submitter@bugs.debian.org, 284575-submitter@bugs.debian.org, 288784-submitter@bugs.debian.org, 325561-submitter@bugs.debian.org, 353763-submitter@bugs.debian.org, 354579-submitter@bugs.debian.org, 354581-submitter@bugs.debian.org, 354590-submitter@bugs.debian.org, 369563-submitter@bugs.debian.org, 384448-submitter@bugs.debian.org, 399367-submitter@bugs.debian.org, 414299-submitter@bugs.debian.org, 283484-submitter@bugs.debian.org, 189705-submitter@bugs.debian.org, 200638-submitter@bugs.debian.org, 281974-submitter@bugs.debian.org, 282235-submitter@bugs.debian.org, 285332-submitter@bugs.debian.org, 286127-submitter@bugs.debian.org, 372133-submitter@bugs.debian.org, 423943-submitter@bugs.debian.org, 82004-submitter@bugs.debian.org, 82987-submitter@bugs.debian.org, 92365-submitter@bugs.debian.org, 116286-submitter@bugs.debian.org, 126170-submitter@bugs.debian.org, 130661-submitter@bugs.debian.org, 140673-submitter@bugs.debian.org, 147332-submitter@bugs.debian.org, 162459-submitter@bugs.debian.org, 163051-submitter@bugs.debian.org, 166729-submitter@bugs.debian.org, 166884-submitter@bugs.debian.org, 168954-submitter@bugs.debian.org, 174890-submitter@bugs.debian.org, 178950-submitter@bugs.debian.org, 179349-submitter@bugs.debian.org, 188237-submitter@bugs.debian.org, 192905-submitter@bugs.debian.org, 193671-submitter@bugs.debian.org, 197200-submitter@bugs.debian.org, 199623-submitter@bugs.debian.org, 208059-submitter@bugs.debian.org, 218910-submitter@bugs.debian.org, 223465-submitter@bugs.debian.org, 232549-submitter@bugs.debian.org, 235522-submitter@bugs.debian.org, 238757-submitter@bugs.debian.org, 243364-submitter@bugs.debian.org, 243365-submitter@bugs.debian.org, 245514-submitter@bugs.debian.org, 246086-submitter@bugs.debian.org, 250848-submitter@bugs.debian.org, 254747-submitter@bugs.debian.org, 257051-submitter@bugs.debian.org, 265817-submitter@bugs.debian.org, 271157-submitter@bugs.debian.org, 271874-submitter@bugs.debian.org, 289893-submitter@bugs.debian.org, 290346-submitter@bugs.debian.org, 293247-submitter@bugs.debian.org, 298249-submitter@bugs.debian.org, 306315-submitter@bugs.debian.org, 313416-submitter@bugs.debian.org, 315529-submitter@bugs.debian.org, 319093-submitter@bugs.debian.org, 322226-submitter@bugs.debian.org, 323795-submitter@bugs.debian.org, 323796-submitter@bugs.debian.org, 335391-submitter@bugs.debian.org, 338411-submitter@bugs.debian.org, 342735-submitter@bugs.debian.org, 343509-submitter@bugs.debian.org, 343518-submitter@bugs.debian.org, 343535-submitter@bugs.debian.org, 344898-submitter@bugs.debian.org, 351893-submitter@bugs.debian.org, 356416-submitter@bugs.debian.org, 365301-submitter@bugs.debian.org, 366674-submitter@bugs.debian.org, 370607-submitter@bugs.debian.org, 371740-submitter@bugs.debian.org, 372309-submitter@bugs.debian.org, 372506-submitter@bugs.debian.org, 373281-submitter@bugs.debian.org, 373793-submitter@bugs.debian.org, 374657-submitter@bugs.debian.org, 374946-submitter@bugs.debian.org, 374956-submitter@bugs.debian.org, 375254-submitter@bugs.debian.org, 375907-submitter@bugs.debian.org, 377079-submitter@bugs.debian.org, 378038-submitter@bugs.debian.org, 378062-submitter@bugs.debian.org, 378063-submitter@bugs.debian.org, 379014-submitter@bugs.debian.org, 381250-submitter@bugs.debian.org, 381280-submitter@bugs.debian.org, 381699-submitter@bugs.debian.org, 382499-submitter@bugs.debian.org, 382936-submitter@bugs.debian.org, 389240-submitter@bugs.debian.org, 391241-submitter@bugs.debian.org, 391571-submitter@bugs.debian.org, 400262-submitter@bugs.debian.org, 292480-submitter@bugs.debian.org, 372637-submitter@bugs.debian.org, 220611-submitter@bugs.debian.org, 376580-submitter@bugs.debian.org, 291788-submitter@bugs.debian.org, 356468-submitter@bugs.debian.org, 301119-submitter@bugs.debian.org, 219892-submitter@bugs.debian.org, 251391-submitter@bugs.debian.org, 259774-submitter@bugs.debian.org, 301012-submitter@bugs.debian.org, 304136-submitter@bugs.debian.org, 344542-submitter@bugs.debian.org, 355122-submitter@bugs.debian.org, 356500-submitter@bugs.debian.org, 367479-submitter@bugs.debian.org, 368019-submitter@bugs.debian.org, 370559-submitter@bugs.debian.org, 370604-submitter@bugs.debian.org, 372782-submitter@bugs.debian.org, 373720-submitter@bugs.debian.org, 377604-submitter@bugs.debian.org, 378860-submitter@bugs.debian.org, 380549-submitter@bugs.debian.org, 380640-submitter@bugs.debian.org, 381428-submitter@bugs.debian.org, 383290-submitter@bugs.debian.org, 386785-submitter@bugs.debian.org, 387201-submitter@bugs.debian.org, 390522-submitter@bugs.debian.org, 399928-submitter@bugs.debian.org
Subject: [Debian QA] please review your old bug reports against CUPS
Date: Sun, 15 Jul 2007 13:10:26 +0300
Dear Debian user,

You are receiving this e-mail because you have filed a bug report
against an old version of CUPS that is no longer available in any
current Debian release.

Please review your bug report and inform us whether it still applies
to version 1.2.7-4, as present in Debian release 4.0 (Etch), or to
newer releases present in the testing branch.

Reply directly to the bug itself at NNN@bugs.debian.org to give us your answer.

See http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=cupsys&repeatmerged=no
for the whole list of bugs concerning CUPS, if you need help
remembering which bug number was assigned to your report.

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Reply sent to Martin Pitt <mpitt@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Colin Phipps <cph@cph.demon.co.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #33 received at 284501-done@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 284501-done@bugs.debian.org
Subject: Closing
Date: Fri, 7 Mar 2008 22:33:15 +0100
Hi,

This is evidently not relevant any more, since it got fixed properly
in the Linux kernel. Closing.

Thank you!

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 05 Apr 2008 07:26:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:16:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.