CVE-2023-34095
cpdb-libs vulnerable to buffer overflows via scanf
In short
cpdb-libs allows attackers to overflow memory buffers by providing oversized input strings to configuration files or command lines. This can crash the printing system or potentially execute malicious code.
Technical detail
cpdb-libs versions 1.0–2.0b4 use fscanf() and scanf() without length specifiers to parse configuration files and command-line input into 1024-byte fixed buffers, enabling stack-based buffer overflow via strings exceeding 1023 characters. Exploitation requires ability to control input to affected parsing functions; successful overflow can lead to memory corruption, denial of service, or code execution with application privileges.
Summary generated and translated by AI from the official description.
cpdb-libs provides frontend and backend libraries for the Common Printing Dialog Backends (CPDB) project. In versions 1.0 through 2.0b4, cpdb-libs is vulnerable to buffer overflows via improper use of `scanf(3)`. cpdb-libs uses the `fscanf()` and `scanf()` functions to parse command lines and configuration files, dropping the read string components into fixed-length buffers, but does not limit the length of the strings to be read by `fscanf()` and `scanf()` causing buffer overflows when a string is longer than 1023 characters. A patch for this issue is available at commit f181bd1f14757c2ae0f17cc76dc20421a40f30b7. As all buffers have a length of 1024 characters, the patch limits the maximum string length to be read to 1023 by replacing all occurrences of `%s` with `%1023s` in all calls of the `fscanf()` and `scanf()` functions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
OpenPrinting · cpdb-libsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/OpenPrinting/cpdb-libs/blob/85555fba64d34f53a2fce099b0488904cc48ed35/cpdb/cpdb-frontend.c#L372https://github.com/OpenPrinting/cpdb-libs/blob/85555fba64d34f53a2fce099b0488904cc48ed35/tools/cpdb-text-frontend.c#L362https://github.com/OpenPrinting/cpdb-libs/blob/85555fba64d34f53a2fce099b0488904cc48ed35/tools/cpdb-text-frontend.c#L453https://github.com/OpenPrinting/cpdb-libs/commit/f181bd1f14757c2ae0f17cc76dc20421a40f30b7https://github.com/OpenPrinting/cpdb-libs/security/advisories/GHSA-25j7-9gfc-f46xhttp://www.openwall.com/lists/oss-security/2023/06/14/7