Bug#530027: cups: Request from "…" using invalid Host: field "…"
Ben Finney
Version: 1.3.10-1
Severity: important
The CUPS server is rejecting all connections. With debug logging
output, I see this every second:
=====
D [23/May/2009:09:48:12 +1000] cupsdAcceptClient: 9 from 192.168.5.7:631 (IPv4)
D [23/May/2009:09:48:12 +1000] cupsdReadClient: 9 POST / HTTP/1.1
D [23/May/2009:09:48:12 +1000] cupsdAuthorize: No authentication data provided.
W [23/May/2009:09:48:12 +1000] Request from "192.168.5.7" using invalid Host: field "printserver"
D [23/May/2009:09:48:12 +1000] cupsdSendError: 9 code=400 (Bad Request)
D [23/May/2009:09:48:12 +1000] cupsdCloseClient: 9
=====
The host name ‘printserver’ is not invalid. It resolves correctly to
the machine running the CUPS server:
=====
$ host printserver
printserver.local.whitetree.org has address 192.168.5.7
=====
The server is configured in ‘/etc/cups/cupsd.conf’ to listen on that
address:
=====
Listen printserver:631
=====
Even if I set a client to use the FQDN, the same error occurs:
=====
D [23/May/2009:09:51:38 +1000] cupsdAcceptClient: 9 from 192.168.5.7:631 (IPv4)
D [23/May/2009:09:51:38 +1000] cupsdReadClient: 9 POST / HTTP/1.1
D [23/May/2009:09:51:38 +1000] cupsdAuthorize: No authentication data provided.
W [23/May/2009:09:51:38 +1000] Request from "192.168.5.7" using invalid Host: field "printserver.local.whitetree.org"
D [23/May/2009:09:51:38 +1000] cupsdSendError: 9 code=400 (Bad Request)
D [23/May/2009:09:51:38 +1000] cupsdCloseClient: 9
=====
Could this be related to the following entry in the Debian changelog:
=====
* New upstream security/bug fix release:
- The scheduler now protects against DNS rebinding attacks. Please note
that this could lead to some regressions. (CVE-2009-0164)
=====
I'm completely unable to print or manage CUPS while this continues.
That sounds like a regression to me, but there's no hint of how to fix
it or know whether that's behind the problem.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (900, 'stable')
Architecture: powerpc (ppc64)
Kernel: Linux 2.6.26-2-powerpc64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages cups depends on:
ii adduser 3.110 add and remove users and groups
ii bc 1.06.94-3.1 The GNU bc arbitrary precision cal
ii cups-common 1.3.10-1 Common UNIX Printing System(tm) -
ii debconf [debconf-2.0 1.5.26 Debian configuration management sy
ii ghostscript 8.64~dfsg-1.1 The GPL Ghostscript PostScript/PDF
ii libavahi-compat-libd 0.6.25-1 Avahi Apple Bonjour compatibility
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libcups2 1.3.10-1 Common UNIX Printing System(tm) -
ii libcupsimage2 1.3.10-1 Common UNIX Printing System(tm) -
ii libdbus-1-3 1.2.12-1 simple interprocess messaging syst
ii libgcc1 1:4.4.0-4 GCC support library
ii libgnutls26 2.6.6-1 the GNU TLS library - runtime libr
ii libgssapi-krb5-2 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - k
ii libijs-0.35 0.35-7 IJS raster image transport protoco
ii libkrb5-3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libpam0g 1.0.1-9 Pluggable Authentication Modules l
ii libpaper1 1.1.23+nmu1 library for handling paper charact
ii libpoppler4 0.10.4-3 PDF rendering library
ii libslp1 1.2.1-7.5 OpenSLP libraries
ii libstdc++6 4.4.0-4 The GNU Standard C++ Library v3
ii lsb-base 3.2-22 Linux Standard Base 3.2 init scrip
ii perl-modules 5.10.0-22 Core Perl modules
ii poppler-utils [xpdf- 0.10.4-3 PDF utilitites (based on libpopple
ii procps 1:3.2.7-11 /proc file system utilities
ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL
ii ttf-freefont 20080323-3 Freefont Serif, Sans and Mono True
ii zlib1g 1:1.2.3.3.dfsg-13 compression library - runtime
Versions of packages cups recommends:
ii avahi-utils 0.6.25-1 Avahi browsing, publishing and dis
ii cups-client 1.3.10-1 Common UNIX Printing System(tm) -
ii foomatic-filters 4.0-20090509-1 OpenPrinting printer support - fil
ii smbclient 2:3.3.4-1 command-line SMB/CIFS clients for
Versions of packages cups suggests:
ii cups-bsd 1.3.10-1 Common UNIX Printing System(tm) -
ii cups-driver-gutenprint 5.2.3-2+b1 printer drivers for CUPS
ii cups-pdf 2.5.0-2 PDF printer for CUPS
ii foomatic-db 20090508-1 OpenPrinting printer support - dat
ii foomatic-db-engine 4.0-20090509-1 OpenPrinting printer support - pro
pn hplip <none> (no description available)
pn xpdf-korean | xpdf-japane <none> (no description available)
-- debconf information:
cupsys/raw-print: true
cupsys/backend: ipp, lpd, parallel, scsi, serial, socket, usb, snmp, dnssd
--
\ “[T]he question of whether machines can think … is about as |
`\ relevant as the question of whether submarines can swim.” |
_o__) —Edsger W. Dijkstra |
Ben Finney <b...@benfinney.id.au>
Ben Finney
> Could this be related to the following entry in the Debian changelog:
>
> =====
> * New upstream security/bug fix release:
> - The scheduler now protects against DNS rebinding attacks. Please note
> that this could lead to some regressions. (CVE-2009-0164)
> =====
>
> I'm completely unable to print or manage CUPS while this continues.
> That sounds like a regression to me, but there's no hint of how to fix
> it or know whether that's behind the problem.
I have downgraded to ‘cups 1.3.8-1lenny5’, with no other change, and
the correct behaviour is restored. This supports the explanation that
a change in the newer version is the cause of this bug.
--
\ “I was stopped by the police for speeding; they said ‘Don't you |
`\ know the speed limit is 55 miles an hour?’ I said ‘Yeah I know, |
_o__) but I wasn't going to be out that long.’” —Steven Wright |
Ben Finney <b...@benfinney.id.au>
Ben Finney
found 530027 1.3.10-2
thanks
On 23-May-2009, Ben Finney wrote:
> On 23-May-2009, Ben Finney wrote:
> > Could this be related to the following entry in the Debian
> > changelog:
> >
> > =====
> > * New upstream security/bug fix release:
> > - The scheduler now protects against DNS rebinding attacks. Please note
> > that this could lead to some regressions. (CVE-2009-0164)
> > =====
> >
> > I'm completely unable to print or manage CUPS while this
> > continues. That sounds like a regression to me, but there's no
> > hint of how to fix it or know whether that's behind the problem.
This bug continues to occur in cups 1.3.10-2.
--
\ “The way to build large Python applications is to componentize |
`\ and loosely-couple the hell out of everything.” —Aahz |
_o__) |
Ben Finney <b...@benfinney.id.au>
Ben Finney
found 530027 1.3.11-1
thanks
On 23-May-2009, Ben Finney wrote:
> On 23-May-2009, Ben Finney wrote:
> > Could this be related to the following entry in the Debian
> > changelog:
> >
> > =====
> > * New upstream security/bug fix release:
> > - The scheduler now protects against DNS rebinding attacks. Please note
> > that this could lead to some regressions. (CVE-2009-0164)
> > =====
> >
> > I'm completely unable to print or manage CUPS while this
> > continues. That sounds like a regression to me, but there's no
> > hint of how to fix it or know whether that's behind the problem.
This bug continues to occur in cups 1.3.11-1.
--
\ “The way to build large Python applications is to componentize |
`\ and loosely-couple the hell out of everything.” —Aahz |
_o__) |
Ben Finney <b...@benfinney.id.au>
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Ben Finney
found 530027 1.4.1-4
thanks
On 23-May-2009, Ben Finney wrote:
> On 23-May-2009, Ben Finney wrote:
> > Could this be related to the following entry in the Debian
> > changelog:
> >
> > =====
> > * New upstream security/bug fix release:
> > - The scheduler now protects against DNS rebinding attacks. Please note
> > that this could lead to some regressions. (CVE-2009-0164)
> > =====
> >
> > I'm completely unable to print or manage CUPS while this
> > continues. That sounds like a regression to me, but there's no
> > hint of how to fix it or know whether that's behind the problem.
This bug continues to occur in cups 1.4.1-4.
--
\ “People's Front To Reunite Gondwanaland: Stop the Laurasian |
`\ Separatist Movement!” —wiredog, http://kuro5hin.org/ |
Ian Zimmerman
The reason that ServerAlias * fixes it for some cases but not for others
can be seen from the patch that addressed CVE-2009-0164:
https://bugzilla.redhat.com/attachment.cgi?id=335489
If you look at the vaild_host() function, in the case the connecting
address matches 127.*.*.* [1], the ServerAlias check is completely
bypassed and only "localhost" or its numerical equivalents are allowed
as values of the Host: header.
This breaks connection via SSH tunnels, maybe other things.
I'll have to downgrade to 1.3.* until this is fixed :(
Interestingly, I have apache2 set up the same way and it cares not one
whit about the Host header. Perhaps the cure is worse that the disease
here, given that the original vulnerability was mostly theoretical and
involved broken clients?
--
Ian Zimmerman <i...@buug.org>
gpg public key: 1024D/C6FF61AD
fingerprint: 66DC D68F 5C1B 4D71 2EE5 BD03 8A00 786C C6FF 61AD
Ham is for reading, not for eating.
Ben Finney
found 530027 1.4.2-4
thanks
On 23-May-2009, Ben Finney wrote:
> On 23-May-2009, Ben Finney wrote:
> > Could this be related to the following entry in the Debian
> > changelog:
> >
> > =====
> > * New upstream security/bug fix release:
> > - The scheduler now protects against DNS rebinding attacks. Please note
> > that this could lead to some regressions. (CVE-2009-0164)
> > =====
> >
> > I'm completely unable to print or manage CUPS while this
> > continues. That sounds like a regression to me, but there's no
> > hint of how to fix it or know whether that's behind the problem.
This bug continues to occur in cups 1.4.2-4.
Enabling debug logging shows the following log entries when a client
attempts to connect:
=====
D [06/Dec/2009:11:14:27 +1100] cupsdAcceptClient: 13 from 192.168.5.7:631 (IPv4)
D [06/Dec/2009:11:14:27 +1100] cupsdReadClient: 13 GET / HTTP/1.1
D [06/Dec/2009:11:14:27 +1100] cupsdSetBusyState: Active clients and dirty files
D [06/Dec/2009:11:14:27 +1100] cupsdAuthorize: No authentication data provided.
E [06/Dec/2009:11:14:27 +1100] Request from "192.168.5.7" using invalid Host: field "printserver:631"
D [06/Dec/2009:11:14:27 +1100] cupsdReadClient: 13 Closing because Keep-Alive disabled
D [06/Dec/2009:11:14:27 +1100] cupsdCloseClient: 13
D [06/Dec/2009:11:14:27 +1100] cupsdSetBusyState: Dirty files
=====
What is the plan to address this bug? I'm unable to upgrade to any
version released in Squeeze so far.
--
\ “People's Front To Reunite Gondwanaland: Stop the Laurasian |
`\ Separatist Movement!” —wiredog, http://kuro5hin.org/ |
_o__) |
Ben Finney <b...@benfinney.id.au>
--
Ben Finney
found 530027 1.4.3-1
thanks
On 23-May-2009, Ben Finney wrote:
> On 23-May-2009, Ben Finney wrote:
> > Could this be related to the following entry in the Debian
> > changelog:
> >
> > =====
> > * New upstream security/bug fix release:
> > - The scheduler now protects against DNS rebinding attacks. Please note
> > that this could lead to some regressions. (CVE-2009-0164)
> > =====
> >
> > I'm completely unable to print or manage CUPS while this
> > continues. That sounds like a regression to me, but there's no
> > hint of how to fix it or know whether that's behind the problem.
This bug continues to occur in cups 1.4.3-1.
Enabling debug logging shows the following log entries when a client
attempts to connect:
=====
D [17/Apr/2010:10:23:40 +1000] cupsdAcceptClient: 13 from fuschia.local.whitetree.org:631 (IPv4)
D [17/Apr/2010:10:23:40 +1000] Report: clients=1
D [17/Apr/2010:10:23:40 +1000] Report: jobs=449
D [17/Apr/2010:10:23:40 +1000] Report: jobs-active=0
D [17/Apr/2010:10:23:40 +1000] Report: printers=3
D [17/Apr/2010:10:23:40 +1000] Report: printers-implicit=0
D [17/Apr/2010:10:23:40 +1000] Report: stringpool-string-count=1453
D [17/Apr/2010:10:23:40 +1000] Report: stringpool-alloc-bytes=8432
D [17/Apr/2010:10:23:40 +1000] Report: stringpool-total-bytes=25024
D [17/Apr/2010:10:23:40 +1000] cupsdReadClient: 13 POST / HTTP/1.1
D [17/Apr/2010:10:23:40 +1000] cupsdSetBusyState: Active clients
D [17/Apr/2010:10:23:40 +1000] cupsdAuthorize: No authentication data provided.
E [17/Apr/2010:10:23:40 +1000] Request from "fuschia.local.whitetree.org" using invalid Host: field "printserver"
D [17/Apr/2010:10:23:40 +1000] cupsdReadClient: 13 Closing because Keep-Alive disabled
D [17/Apr/2010:10:23:40 +1000] cupsdCloseClient: 13
D [17/Apr/2010:10:23:40 +1000] cupsdSetBusyState: Not busy
=====
What is the plan to address this bug? I'm unable to upgrade to any
version released in Squeeze so far.
--
\ “I don't want to live peacefully with difficult realities, and |
`\ I see no virtue in savoring excuses for avoiding a search for |
_o__) real answers.” —Paul Z. Myers, 2009-09-12 |
Ben Finney
severity 530027 grave
thanks
On 11-Oct-2009, Ian Zimmerman wrote:
> If you look at the vaild_host() function, in the case the connecting
> address matches 127.*.*.* [1], the ServerAlias check is completely
> bypassed and only "localhost" or its numerical equivalents are
> allowed as values of the Host: header.
Which is no use when the software is running on a remote print server;
the client's ‘localhost’ is not the print server.
> This breaks connection via SSH tunnels, maybe other things.
> I'll have to downgrade to 1.3.* until this is fixed :(
This has been the case for me for every version in Squeeze since I
initially reported this bug.
Given the number of people reporting the same bug and for whom the
workarounds do not help, I'm upgrading the severity to ‘grave’ since
for many people this bug makes the package completely unusable.
> Interestingly, I have apache2 set up the same way and it cares not
> one whit about the Host header. Perhaps the cure is worse that the
> disease here, given that the original vulnerability was mostly
> theoretical and involved broken clients?
Could the maintainer please respond on this? It seems that the
original patch should be reverted to address this bug.
--
\ “Good judgement comes from experience. Experience comes from |
`\ bad judgement.” —Frederick P. Brooks |
_o__) |
Ben Finney <b...@benfinney.id.au>
Ben Finney
> On 11-Oct-2009, Ian Zimmerman wrote:
> > I'll have to downgrade to 1.3.* until this is fixed :(
>
> This has been the case for me for every version in Squeeze since I
> initially reported this bug.
And now I find that downgrading to Lenny's version of CUPS, which used
to be a work-around, is no longer possible in the last few months, due
to the dependencies of other packages specifying “libcups2 >= 1.4.0”.
So currently there's no solution that makes the package useable at all
in Squeeze for those hit by this bug, so that's solid justification
for setting ‘grave’ severity.
--
\ “Courage is not the absence of fear, but the decision that |
`\ something else is more important than fear.” —Ambrose Redmoon |
_o__) |
Ben Finney <b...@benfinney.id.au>
Martin Pitt
thanks
Ben Finney [2010-09-13 16:17 +1000]:
> severity 530027 grave
This is quite overinflated. "grave" means "completely useless for
everyone", and "breaks other packages", which isn't the case here.
> Could the maintainer please respond on this?
Please note that cups hasn't had a real maintainer for a long time,
see the RFA. I recommend reporting and discussing this directly with
upstream at http://cups.org/str.php, he's quite responsive.
Thanks,
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)