CVE-2009-3553
cups: Use-after-free (crash) due improper reference counting in abstract file descriptors handling interface
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.
Vulnerabilidad de uso anterior a la liberación en el descriptor de fichero abstracto de cuelgue de interface en la función cupsdDoSelect en scheduler/select.c en el scheduler en cupsd en CUPS v1.3.7 y v1.3.10 permite a los atacantes remoto causar una denegación de servicio (caída o cuelque del demonio) a través de una desconexión de cliente durante el listado de una elevado número de trabajos de impresión, en relación al mantenimiento inapropiado de un contador de referencia. NOTA: algunos de estos detalles han sido obtenidos de información de terceros.
CUPS in does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs. Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553. The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS 1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers. The updated packages have been patched to correct these issues. Packages for Mandriva Linux 2010.0 was missing with MDVSA-2010:073. This advisory provides packages for 2010.0 as well.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-10-05 CVE Reserved
- 2009-11-20 CVE Published
- 2024-08-07 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (23)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/38241 | Broken Link | |
| http://secunia.com/advisories/43521 | Broken Link | |
| http://www.securityfocus.com/bid/37048 | Broken Link | |
| http://www.vupen.com/english/advisories/2010/0173 | Broken Link | |
| http://www.vupen.com/english/advisories/2011/0535 | Broken Link | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11183 | Broken Link |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.cups.org/newsgroups.php/newsgroups.php?v5994+gcups.bugs | 2024-02-02 | |
| http://www.cups.org/newsgroups.php/newsgroups.php?v5996+gcups.bugs | 2024-02-02 | |
| http://www.cups.org/newsgroups.php/newsgroups.php?v6055+gcups.bugs | 2024-02-02 | |
| http://www.cups.org/str.php?L3200 | 2024-02-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apple Search vendor "Apple" | Cups Search vendor "Apple" for product "Cups" | 1.3.7 Search vendor "Apple" for product "Cups" and version "1.3.7" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Cups Search vendor "Apple" for product "Cups" | 1.3.10 Search vendor "Apple" for product "Cups" and version "1.3.10" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | < 10.5.8 Search vendor "Apple" for product "Mac Os X" and version " < 10.5.8" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | >= 10.6.0 < 10.6.2 Search vendor "Apple" for product "Mac Os X" and version " >= 10.6.0 < 10.6.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Server Search vendor "Apple" for product "Mac Os X Server" | < 10.5.8 Search vendor "Apple" for product "Mac Os X Server" and version " < 10.5.8" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Server Search vendor "Apple" for product "Mac Os X Server" | >= 10.6.0 < 10.6.2 Search vendor "Apple" for product "Mac Os X Server" and version " >= 10.6.0 < 10.6.2" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 10 Search vendor "Fedoraproject" for product "Fedora" and version "10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 6.06 Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 8.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 8.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 9.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "9.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 9.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "9.10" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 5.0 Search vendor "Debian" for product "Debian Linux" and version "5.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 5.0 Search vendor "Redhat" for product "Enterprise Linux" and version "5.0" | - |
Affected
| ||||||