CVE-2009-3553 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2009-3553?

CVE-2009-3553 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-3553?

Check the references section above for vendor advisories and patch information. Affected products include: Apple Cups, Apple Mac Os X, Apple Mac Os X Server, Fedoraproject Fedora, Canonical Ubuntu Linux.

Vulnerability Description

Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apple	Cups	1.3.7
Apple	Mac Os X	< 10.5.8
Apple	Mac Os X Server	< 10.5.8
Fedoraproject	Fedora	10
Canonical	Ubuntu Linux	6.06
Debian	Debian Linux	5.0
Redhat	Enterprise Linux	5.0

Related Weaknesses (CWE)

CWE-416

References

http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.htmlMailing List
http://secunia.com/advisories/37360Broken LinkVendor Advisory
http://secunia.com/advisories/37364Broken LinkVendor Advisory
http://secunia.com/advisories/38241Broken Link
http://secunia.com/advisories/43521Broken Link
http://security.gentoo.org/glsa/glsa-201207-10.xmlThird Party Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-66-275230-1Broken Link
http://support.apple.com/kb/HT4004Vendor Advisory
http://www.cups.org/newsgroups.php/newsgroups.php?v5994+gcups.bugsBroken LinkPatchVendor Advisory
http://www.cups.org/newsgroups.php/newsgroups.php?v5996+gcups.bugsBroken LinkPatchVendor Advisory
http://www.cups.org/newsgroups.php/newsgroups.php?v6055+gcups.bugsBroken LinkPatchVendor Advisory
http://www.cups.org/str.php?L3200Broken LinkPatchVendor Advisory
http://www.debian.org/security/2011/dsa-2176Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2010:073Broken Link
http://www.redhat.com/support/errata/RHSA-2009-1595.htmlBroken Link

FAQ

What is CVE-2009-3553?

CVE-2009-3553 is a vulnerability with a CVSS score of 7.5 (HIGH). Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote att...

How severe is CVE-2009-3553?

CVE-2009-3553 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-3553?

Check the references section above for vendor advisories and patch information. Affected products include: Apple Cups, Apple Mac Os X, Apple Mac Os X Server, Fedoraproject Fedora, Canonical Ubuntu Linux.