CVE-2009-0949 (CNNVD-200906-120)
中文标题:
Apple CUPS cups/ipp.c空指针引用拒绝服务漏洞
英文标题:
The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 does not properly initialize mem...
漏洞描述
中文描述:
Common Unix Printing System(CUPS)是一款通用Unix打印系统,是Unix环境下的跨平台打印解决方案,基于Internet打印协议,提供大多数PostScript和raster打印机服务 。 在处理包含有两个IPP_TAG_UNSUPPORTED标签的特质IPP时,CUPS的cups/ipp.c文件中的ippReadIO()函数没有正确地初始化ipp结构,这可能导致受影响的应用崩溃 。 cups/ipp.c文件中的ippReadIO()函数负责初始化表示当前IPP请求中不同标签的ipp结构: /----------- 1016 ipp_state_t /* O - Current state */ 1017 ippReadIO(void*src, /* I - Data source */ 1018 ipp_iocb_tcb, /* I - Read callback function */ 1019 int blocking, /* I - Use blocking IO? */ 1020 ipp_t *parent,/* I - Parent request, if any */ 1021 ipp_t *ipp) /* I - IPP data */ 1022 { 1023 int n;/* Length of data */ 1024 unsignedchar buffer[IPP_MAX_LENGTH + 1], 1025 /* Data buffer */ 1026 string[IPP_MAX_NAME], 1027 /* Small string buffer */ 1028*bufptr; /* Pointer into buffer */ 1029ipp_attribute_t*attr; /* Current attribute */ 1030ipp_tag_t tag; /* Current tag */ 1031ipp_tag_t value_tag; /* Current value tag */ 1032ipp_value_t *value;/* Current value */ 1035DEBUG_printf(("ippReadIO(%p, %p, %d, %p, %p)\n", src, cb, blocking, 1036parent, ipp)); 1037DEBUG_printf(("ippReadIO: ipp->state=%d\n", ipp->state)); 1039if (src == NULL || ipp == NULL) 1040return (IPP_ERROR); 1041 1042switch (ipp->state) 1043{ 1044case IPP_IDLE : 1045ipp->state ++; /* Avoid common problem... */ 1046 1047case IPP_HEADER : 1048if (parent == NULL) - -----------/ 在上面的代码中,通过几个不同的标签属性对报文进行计数。如果所发送的IPP报文标签属性低于0x10,CUPS就会认为是IPP_TAG_UNSUPPORTED标签: /----------- else if (tag < IPP_TAG_UNSUPPORTED_VALUE) { /* * Group tag...Set the current group and continue... */ if (ipp->curtag == tag) ipp->prev = ippAddSeparator(ipp); else if (ipp->current) ipp->prev = ipp->current; ipp->curtag= tag; ipp->current = NULL; DEBUG_printf(("ippReadIO: group tag = %x, ipp->prev=%p\n", tag, ipp->prev)); continue; } - -----------/ 由于CUPS处理这类标签的方式,如果报文中包含有两个连续的IPP_TAG_UNSUPPORTED,就会将IPP结构的最后一个节点初始化为NULL,这会在cupsdProcessIPPRequest函数试图读取attr结构的name字段时导致崩溃。 /----------- /* * 'cupsdProcessIPPRequest()' - Process an incoming IPP request. */ int /* O - 1 on success, 0 on failure */ cupsdProcessIPPRequest( cupsd_client_t *con)/* I - Client connection */ ... if (!attr) { /* * Then make sure that the first three attributes are: * * attributes-charset * attributes-natural-language * printer-uri/job-uri */ attr = con->request->attrs; if (attr && !strcmp(attr->name, "attributes-charset") && (attr->value_tag & IPP_TAG_MASK) == IPP_TAG_CHARSET) charset = attr; else charset = NULL; ... - -----------/
英文描述:
The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 does not properly initialize memory for IPP request packets, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a scheduler request with two consecutive IPP_TAG_UNSUPPORTED tags.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| apple | cups | * | - | - |
cpe:2.3:a:apple:cups:*:*:*:*:*:*:*:*
|
| canonical | ubuntu_linux | 6.06 | - | - |
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
|
| canonical | ubuntu_linux | 8.04 | - | - |
cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
|
| canonical | ubuntu_linux | 8.10 | - | - |
cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
|
| canonical | ubuntu_linux | 9.04 | - | - |
cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
|
| debian | debian_linux | 4.0 | - | - |
cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
|
| debian | debian_linux | 5.0 | - | - |
cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
|
| debian | debian_linux | 6.0 | - | - |
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
|
| apple | mac_os_x | * | - | - |
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
|
| apple | mac_os_x_server | * | - | - |
cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*
|
| opensuse | opensuse | 10.3 | - | - |
cpe:2.3:o:opensuse:opensuse:10.3:*:*:*:*:*:*:*
|
| suse | linux_enterprise | 9.0 | - | - |
cpe:2.3:o:suse:linux_enterprise:9.0:-:*:*:*:*:*:*
|
| suse | linux_enterprise | 10.0 | - | - |
cpe:2.3:o:suse:linux_enterprise:10.0:-:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
exploitdb
exploitdb
cve.org
CVSS评分详情
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2009-0949 |
2025-11-11 15:18:09 | 2025-11-11 07:33:00 |
| NVD | nvd_CVE-2009-0949 |
2025-11-11 14:52:59 | 2025-11-11 07:41:47 |
| CNNVD | cnnvd_CNNVD-200906-120 |
2025-11-11 15:09:05 | 2025-11-11 07:49:36 |
| EXPLOITDB | exploitdb_EDB-33020 |
2025-11-11 15:05:24 | 2025-11-11 08:27:41 |
版本与语言
安全公告
变更历史
查看详细变更
- references_count: 20 -> 23
- tags_count: 0 -> 4
- data_sources: ['cnnvd', 'cve', 'nvd'] -> ['cnnvd', 'cve', 'exploitdb', 'nvd']
查看详细变更
- vulnerability_type: 未提取 -> 资源管理错误
- cnnvd_id: 未提取 -> CNNVD-200906-120
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- severity: SeverityLevel.MEDIUM -> SeverityLevel.HIGH
- cvss_score: 未提取 -> 7.5
- cvss_vector: NOT_EXTRACTED -> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- cvss_version: NOT_EXTRACTED -> 3.1
- affected_products_count: 0 -> 13
- data_sources: ['cve'] -> ['cve', 'nvd']