Bug#530027: cups: Request from … using invalid Host: field …
package cups severity 530027 grave thanks On 11-Oct-2009, Ian Zimmerman wrote: If you look at the vaild_host() function, in the case the connecting address matches 127.*.*.* [1], the ServerAlias check is completely bypassed and only localhost or its numerical equivalents are allowed as values of the Host: header. Which is no use when the software is running on a remote print server; the client's ‘localhost’ is not the print server. This breaks connection via SSH tunnels, maybe other things. I'll have to downgrade to 1.3.* until this is fixed :( This has been the case for me for every version in Squeeze since I initially reported this bug. Given the number of people reporting the same bug and for whom the workarounds do not help, I'm upgrading the severity to ‘grave’ since for many people this bug makes the package completely unusable. Interestingly, I have apache2 set up the same way and it cares not one whit about the Host header. Perhaps the cure is worse that the disease here, given that the original vulnerability was mostly theoretical and involved broken clients? Could the maintainer please respond on this? It seems that the original patch should be reverted to address this bug. -- \“Good judgement comes from experience. Experience comes from | `\ bad judgement.” —Frederick P. Brooks | _o__) | Ben Finney b...@benfinney.id.au signature.asc Description: Digital signature
Bug#530027: cups: Request from … using invalid Host: field …
On 13-Sep-2010, Ben Finney wrote: On 11-Oct-2009, Ian Zimmerman wrote: I'll have to downgrade to 1.3.* until this is fixed :( This has been the case for me for every version in Squeeze since I initially reported this bug. And now I find that downgrading to Lenny's version of CUPS, which used to be a work-around, is no longer possible in the last few months, due to the dependencies of other packages specifying “libcups2 = 1.4.0”. So currently there's no solution that makes the package useable at all in Squeeze for those hit by this bug, so that's solid justification for setting ‘grave’ severity. -- \ “Courage is not the absence of fear, but the decision that | `\ something else is more important than fear.” —Ambrose Redmoon | _o__) | Ben Finney b...@benfinney.id.au signature.asc Description: Digital signature
Bug#530027: [Pkg-cups-devel] Bug#530027: cups: Request from … using invalid Host: field …
severity 530027 important thanks Ben Finney [2010-09-13 16:17 +1000]: severity 530027 grave This is quite overinflated. grave means completely useless for everyone, and breaks other packages, which isn't the case here. Could the maintainer please respond on this? Please note that cups hasn't had a real maintainer for a long time, see the RFA. I recommend reporting and discussing this directly with upstream at http://cups.org/str.php, he's quite responsive. Thanks, Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) signature.asc Description: Digital signature
Bug#530027: cups: Request from … using invalid Host: field …
package cups found 530027 1.4.3-1 thanks On 23-May-2009, Ben Finney wrote: On 23-May-2009, Ben Finney wrote: Could this be related to the following entry in the Debian changelog: = * New upstream security/bug fix release: - The scheduler now protects against DNS rebinding attacks. Please note that this could lead to some regressions. (CVE-2009-0164) = I'm completely unable to print or manage CUPS while this continues. That sounds like a regression to me, but there's no hint of how to fix it or know whether that's behind the problem. This bug continues to occur in cups 1.4.3-1. Enabling debug logging shows the following log entries when a client attempts to connect: = D [17/Apr/2010:10:23:40 +1000] cupsdAcceptClient: 13 from fuschia.local.whitetree.org:631 (IPv4) D [17/Apr/2010:10:23:40 +1000] Report: clients=1 D [17/Apr/2010:10:23:40 +1000] Report: jobs=449 D [17/Apr/2010:10:23:40 +1000] Report: jobs-active=0 D [17/Apr/2010:10:23:40 +1000] Report: printers=3 D [17/Apr/2010:10:23:40 +1000] Report: printers-implicit=0 D [17/Apr/2010:10:23:40 +1000] Report: stringpool-string-count=1453 D [17/Apr/2010:10:23:40 +1000] Report: stringpool-alloc-bytes=8432 D [17/Apr/2010:10:23:40 +1000] Report: stringpool-total-bytes=25024 D [17/Apr/2010:10:23:40 +1000] cupsdReadClient: 13 POST / HTTP/1.1 D [17/Apr/2010:10:23:40 +1000] cupsdSetBusyState: Active clients D [17/Apr/2010:10:23:40 +1000] cupsdAuthorize: No authentication data provided. E [17/Apr/2010:10:23:40 +1000] Request from fuschia.local.whitetree.org using invalid Host: field printserver D [17/Apr/2010:10:23:40 +1000] cupsdReadClient: 13 Closing because Keep-Alive disabled D [17/Apr/2010:10:23:40 +1000] cupsdCloseClient: 13 D [17/Apr/2010:10:23:40 +1000] cupsdSetBusyState: Not busy = What is the plan to address this bug? I'm unable to upgrade to any version released in Squeeze so far. -- \ “I don't want to live peacefully with difficult realities, and | `\ I see no virtue in savoring excuses for avoiding a search for | _o__)real answers.” —Paul Z. Myers, 2009-09-12 | Ben Finney b...@benfinney.id.au -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#530027: cups: Request from … using invalid Host: field …
An update on a workaround/solution that works for me; Add the line; HostNameLookups On to your cupsd.conf file. Solution sourced from; http://bugs.gentoo.org/show_bug.cgi?id=266678
Bug#530027: cups: Request from … using invalid Host: field …
On 18-Jan-2010, Philip Haynes wrote: Add the line; HostNameLookups On to your cupsd.conf file. Thanks for the suggestion. However, that doesn't work for me: = $ grep HostNameLookups /etc/cups/cupsd.conf HostNameLookups On $ grep ServerName /etc/cups/client.conf # ServerName: the hostname of your server. By default CUPS will use the ServerName printserver $ host printserver printserver.local.whitetree.org has address 192.168.5.7 $ lpq lpq: error - no default destination available. $ tail /var/log/cups/error_log D [18/Jan/2010:16:46:15 +1100] Report: stringpool-alloc-bytes=8696 D [18/Jan/2010:16:46:15 +1100] Report: stringpool-total-bytes=25024 D [18/Jan/2010:16:46:16 +1100] cupsdAcceptClient: 13 from fuschia.local.whitetree.org:631 (IPv4) D [18/Jan/2010:16:46:16 +1100] cupsdReadClient: 13 POST / HTTP/1.1 D [18/Jan/2010:16:46:16 +1100] cupsdSetBusyState: Active clients D [18/Jan/2010:16:46:16 +1100] cupsdAuthorize: No authentication data provided. E [18/Jan/2010:16:46:16 +1100] Request from fuschia.local.whitetree.org using invalid Host: field printserver D [18/Jan/2010:16:46:16 +1100] cupsdReadClient: 13 Closing because Keep-Alive disabled D [18/Jan/2010:16:46:16 +1100] cupsdCloseClient: 13 D [18/Jan/2010:16:46:16 +1100] cupsdSetBusyState: Not busy = That is: the configuration file contains your suggested addition, and the server still refuses to allow connection to the host name even though that name correctly resolves to the print server host. -- \ “If you can do no good, at least do no harm.” —_Slapstick_, | `\ Kurt Vonnegut | _o__) | Ben Finney b...@benfinney.id.au signature.asc Description: Digital signature
Bug#530027: cups: Request from … using invalid Host: field …
package cups found 530027 1.4.2-4 thanks On 23-May-2009, Ben Finney wrote: On 23-May-2009, Ben Finney wrote: Could this be related to the following entry in the Debian changelog: = * New upstream security/bug fix release: - The scheduler now protects against DNS rebinding attacks. Please note that this could lead to some regressions. (CVE-2009-0164) = I'm completely unable to print or manage CUPS while this continues. That sounds like a regression to me, but there's no hint of how to fix it or know whether that's behind the problem. This bug continues to occur in cups 1.4.2-4. Enabling debug logging shows the following log entries when a client attempts to connect: = D [06/Dec/2009:11:14:27 +1100] cupsdAcceptClient: 13 from 192.168.5.7:631 (IPv4) D [06/Dec/2009:11:14:27 +1100] cupsdReadClient: 13 GET / HTTP/1.1 D [06/Dec/2009:11:14:27 +1100] cupsdSetBusyState: Active clients and dirty files D [06/Dec/2009:11:14:27 +1100] cupsdAuthorize: No authentication data provided. E [06/Dec/2009:11:14:27 +1100] Request from 192.168.5.7 using invalid Host: field printserver:631 D [06/Dec/2009:11:14:27 +1100] cupsdReadClient: 13 Closing because Keep-Alive disabled D [06/Dec/2009:11:14:27 +1100] cupsdCloseClient: 13 D [06/Dec/2009:11:14:27 +1100] cupsdSetBusyState: Dirty files = What is the plan to address this bug? I'm unable to upgrade to any version released in Squeeze so far. -- \ “People's Front To Reunite Gondwanaland: Stop the Laurasian | `\ Separatist Movement!” —wiredog, http://kuro5hin.org/ | _o__) | Ben Finney b...@benfinney.id.au -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#530027: cups: Request from --- using invalid Host: field ---
A short follow-up: I left a dangling reference [1] in my previous post. Corrected below. And, happily, I was able to work around this by re-numbering my tunnel interfaces from 127.0.*.* to 10.*.*.* . It speaks a little to how sophisticated this fix is, IMHO ... [1] the place in the code that does the 127.* check is httpAddrLocalhost in file cups/http-addr.c -- Ian Zimmerman i...@buug.org gpg public key: 1024D/C6FF61AD fingerprint: 66DC D68F 5C1B 4D71 2EE5 BD03 8A00 786C C6FF 61AD Ham is for reading, not for eating. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#530027: cups: Request from … using invalid Host: field …
The reason that ServerAlias * fixes it for some cases but not for others can be seen from the patch that addressed CVE-2009-0164: https://bugzilla.redhat.com/attachment.cgi?id=335489 If you look at the vaild_host() function, in the case the connecting address matches 127.*.*.* [1], the ServerAlias check is completely bypassed and only localhost or its numerical equivalents are allowed as values of the Host: header. This breaks connection via SSH tunnels, maybe other things. I'll have to downgrade to 1.3.* until this is fixed :( Interestingly, I have apache2 set up the same way and it cares not one whit about the Host header. Perhaps the cure is worse that the disease here, given that the original vulnerability was mostly theoretical and involved broken clients? -- Ian Zimmerman i...@buug.org gpg public key: 1024D/C6FF61AD fingerprint: 66DC D68F 5C1B 4D71 2EE5 BD03 8A00 786C C6FF 61AD Ham is for reading, not for eating. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#530027: cups: Request from … using invalid Host: field …
package cups found 530027 1.4.1-4 thanks On 23-May-2009, Ben Finney wrote: On 23-May-2009, Ben Finney wrote: Could this be related to the following entry in the Debian changelog: = * New upstream security/bug fix release: - The scheduler now protects against DNS rebinding attacks. Please note that this could lead to some regressions. (CVE-2009-0164) = I'm completely unable to print or manage CUPS while this continues. That sounds like a regression to me, but there's no hint of how to fix it or know whether that's behind the problem. This bug continues to occur in cups 1.4.1-4. -- \ “People's Front To Reunite Gondwanaland: Stop the Laurasian | `\ Separatist Movement!” —wiredog, http://kuro5hin.org/ | _o__) | Ben Finney b...@benfinney.id.au -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#530027: cups: Request from … using invalid Host: field …
package cups found 530027 1.3.11-1 thanks On 23-May-2009, Ben Finney wrote: On 23-May-2009, Ben Finney wrote: Could this be related to the following entry in the Debian changelog: = * New upstream security/bug fix release: - The scheduler now protects against DNS rebinding attacks. Please note that this could lead to some regressions. (CVE-2009-0164) = I'm completely unable to print or manage CUPS while this continues. That sounds like a regression to me, but there's no hint of how to fix it or know whether that's behind the problem. This bug continues to occur in cups 1.3.11-1. -- \ “The way to build large Python applications is to componentize | `\ and loosely-couple the hell out of everything.” —Aahz | _o__) | Ben Finney b...@benfinney.id.au -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#530027: cups: Request from ... using invalid Host: field ...
Same problems here. No luck with ServerAlias *. However, I have found that cups commands will work if I explicitly specify the hostname localhost, e.g.: # lpstat -a lpstat: Bad Request # lpstat -h localhost -a DeskJet accepting requests since Fri Jul 10 13:00:17 2009 And similarly with all the lp commands. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#530027: cups: Request from … using invalid Host: field …
package cups found 530027 1.3.10-2 thanks On 23-May-2009, Ben Finney wrote: On 23-May-2009, Ben Finney wrote: Could this be related to the following entry in the Debian changelog: = * New upstream security/bug fix release: - The scheduler now protects against DNS rebinding attacks. Please note that this could lead to some regressions. (CVE-2009-0164) = I'm completely unable to print or manage CUPS while this continues. That sounds like a regression to me, but there's no hint of how to fix it or know whether that's behind the problem. This bug continues to occur in cups 1.3.10-2. -- \ “The way to build large Python applications is to componentize | `\ and loosely-couple the hell out of everything.” —Aahz | _o__) | Ben Finney b...@benfinney.id.au signature.asc Description: Digital signature
Bug#530027: cups: Request from … using invalid Host: field …
Package: cups Version: 1.3.10-1 Severity: important The CUPS server is rejecting all connections. With debug logging output, I see this every second: = D [23/May/2009:09:48:12 +1000] cupsdAcceptClient: 9 from 192.168.5.7:631 (IPv4) D [23/May/2009:09:48:12 +1000] cupsdReadClient: 9 POST / HTTP/1.1 D [23/May/2009:09:48:12 +1000] cupsdAuthorize: No authentication data provided. W [23/May/2009:09:48:12 +1000] Request from 192.168.5.7 using invalid Host: field printserver D [23/May/2009:09:48:12 +1000] cupsdSendError: 9 code=400 (Bad Request) D [23/May/2009:09:48:12 +1000] cupsdCloseClient: 9 = The host name ‘printserver’ is not invalid. It resolves correctly to the machine running the CUPS server: = $ host printserver printserver.local.whitetree.org has address 192.168.5.7 = The server is configured in ‘/etc/cups/cupsd.conf’ to listen on that address: = Listen printserver:631 = Even if I set a client to use the FQDN, the same error occurs: = D [23/May/2009:09:51:38 +1000] cupsdAcceptClient: 9 from 192.168.5.7:631 (IPv4) D [23/May/2009:09:51:38 +1000] cupsdReadClient: 9 POST / HTTP/1.1 D [23/May/2009:09:51:38 +1000] cupsdAuthorize: No authentication data provided. W [23/May/2009:09:51:38 +1000] Request from 192.168.5.7 using invalid Host: field printserver.local.whitetree.org D [23/May/2009:09:51:38 +1000] cupsdSendError: 9 code=400 (Bad Request) D [23/May/2009:09:51:38 +1000] cupsdCloseClient: 9 = Could this be related to the following entry in the Debian changelog: = * New upstream security/bug fix release: - The scheduler now protects against DNS rebinding attacks. Please note that this could lead to some regressions. (CVE-2009-0164) = I'm completely unable to print or manage CUPS while this continues. That sounds like a regression to me, but there's no hint of how to fix it or know whether that's behind the problem. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (900, 'stable') Architecture: powerpc (ppc64) Kernel: Linux 2.6.26-2-powerpc64 (SMP w/2 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages cups depends on: ii adduser 3.110 add and remove users and groups ii bc 1.06.94-3.1 The GNU bc arbitrary precision cal ii cups-common 1.3.10-1Common UNIX Printing System(tm) - ii debconf [debconf-2.0 1.5.26 Debian configuration management sy ii ghostscript 8.64~dfsg-1.1 The GPL Ghostscript PostScript/PDF ii libavahi-compat-libd 0.6.25-1Avahi Apple Bonjour compatibility ii libc62.9-4 GNU C Library: Shared libraries ii libcups2 1.3.10-1Common UNIX Printing System(tm) - ii libcupsimage21.3.10-1Common UNIX Printing System(tm) - ii libdbus-1-3 1.2.12-1simple interprocess messaging syst ii libgcc1 1:4.4.0-4 GCC support library ii libgnutls26 2.6.6-1 the GNU TLS library - runtime libr ii libgssapi-krb5-2 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - k ii libijs-0.35 0.35-7 IJS raster image transport protoco ii libkrb5-31.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries ii libldap-2.4-22.4.11-1OpenLDAP libraries ii libpam0g 1.0.1-9 Pluggable Authentication Modules l ii libpaper11.1.23+nmu1 library for handling paper charact ii libpoppler4 0.10.4-3PDF rendering library ii libslp1 1.2.1-7.5 OpenSLP libraries ii libstdc++6 4.4.0-4 The GNU Standard C++ Library v3 ii lsb-base 3.2-22 Linux Standard Base 3.2 init scrip ii perl-modules 5.10.0-22 Core Perl modules ii poppler-utils [xpdf- 0.10.4-3PDF utilitites (based on libpopple ii procps 1:3.2.7-11 /proc file system utilities ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL ii ttf-freefont 20080323-3 Freefont Serif, Sans and Mono True ii zlib1g 1:1.2.3.3.dfsg-13 compression library - runtime Versions of packages cups recommends: ii avahi-utils 0.6.25-1 Avahi browsing, publishing and dis ii cups-client 1.3.10-1 Common UNIX Printing System(tm) - ii foomatic-filters 4.0-20090509-1 OpenPrinting printer support - fil ii smbclient 2:3.3.4-1 command-line SMB/CIFS clients for Versions of packages cups suggests: ii cups-bsd 1.3.10-1 Common UNIX Printing System(tm) - ii cups-driver-gutenprint5.2.3-2+b1 printer drivers for CUPS ii cups-pdf
Bug#530027: cups: Request from … using invalid Host: field …
On 23-May-2009, Ben Finney wrote: Could this be related to the following entry in the Debian changelog: = * New upstream security/bug fix release: - The scheduler now protects against DNS rebinding attacks. Please note that this could lead to some regressions. (CVE-2009-0164) = I'm completely unable to print or manage CUPS while this continues. That sounds like a regression to me, but there's no hint of how to fix it or know whether that's behind the problem. I have downgraded to ‘cups 1.3.8-1lenny5’, with no other change, and the correct behaviour is restored. This supports the explanation that a change in the newer version is the cause of this bug. -- \ “I was stopped by the police for speeding; they said ‘Don't you | `\ know the speed limit is 55 miles an hour?’ I said ‘Yeah I know, | _o__) but I wasn't going to be out that long.’” —Steven Wright | Ben Finney b...@benfinney.id.au signature.asc Description: Digital signature