libppd generates PPD content from printer-reported IPP capability objects on supported
driverless queue-generation paths. In the audited code, ppdCreatePPDFromIPP2() looks
up default capability attributes such as output-bin-default with IPP_TAG_ZERO and then
passes ippGetString() directly into strdup() without validating the returned pointer.
This creates a semantic type-confusion crash in PPD generation. Because the code
relies on IPP_TAG_ZERO, an integer-valued attribute causes ippGetString() to return
NULL, which is subsequently passed to strdup() and terminates the process. The
OpenPrinting maintainers have acknowledged the flaw, confirming that the proper fix is
to explicitly check that the value tag is IPP_TAG_NAME, IPP_TAG_NAMELANG, or
IPP_TAG_KEYWORD. Once the tag is confirmed, a NULL string is not possible with IPP
string values.
Affected File:
https://github.com/OpenPrinting/libppd/blob/2b37a73/ppd/ppd-generator.c
###Affected Code:
ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer
size_t bufsize, // I - Size of filename
// buffer
ipp_t *supported, // I - Get-Printer-
// Attributes response
const char *make_model, // I - Make and model from
// DNS-SD
const char *pdl, // I - List of PDLs from
// DNS-SD
int color, // I - Color printer? (from
// DNS-SD)
int duplex, // I - Duplex printer? (from
// DNS-SD)
cups_array_t *conflicts, // I - Array of
// constraints
cups_array_t *sizes, // I - Media sizes we've
// added
char* default_pagesize, // I - Default page size
const char *default_cluster_color, // I - cluster def
// color (if cluster's
// attributes are
// returned)
char *status_msg, // I - Status message
// buffer, NULL to
// ignore message
size_t status_msg_size) // I - Size of status
// message buffer
[...]
// Which is the default output bin?
if ((attr = ippFindAttribute(supported, "output-bin-default", IPP_TAG_ZERO))
!= NULL)
defaultoutbin = strdup(ippGetString(attr, 0, NULL));
[...]
}
To mitigate this issue, libppd should verify that default capability attributes use the
expected string tags, specifically IPP_TAG_NAME, IPP_TAG_NAMELANG, or
IPP_TAG_KEYWORD, instead of accepting arbitrary value tags via IPP_TAG_ZERO.
Wrong-tag default attributes should be rejected as invalid printer data before their values
are passed into strdup(), strlcpy(), ppdPwgPpdizeName(), or similar string-processing
logic.
libppd generates PPD content from printer-reported IPP capability objects on supported
driverless queue-generation paths. In the audited code, ppdCreatePPDFromIPP2() looks
up default capability attributes such as output-bin-default with IPP_TAG_ZERO and then
passes ippGetString() directly into strdup() without validating the returned pointer.
This creates a semantic type-confusion crash in PPD generation. Because the code
relies on IPP_TAG_ZERO, an integer-valued attribute causes ippGetString() to return
NULL, which is subsequently passed to strdup() and terminates the process. The
OpenPrinting maintainers have acknowledged the flaw, confirming that the proper fix is
to explicitly check that the value tag is IPP_TAG_NAME, IPP_TAG_NAMELANG, or
IPP_TAG_KEYWORD. Once the tag is confirmed, a NULL string is not possible with IPP
string values.
Affected File:
https://github.com/OpenPrinting/libppd/blob/2b37a73/ppd/ppd-generator.c
###Affected Code:
To mitigate this issue, libppd should verify that default capability attributes use the
expected string tags, specifically IPP_TAG_NAME, IPP_TAG_NAMELANG, or
IPP_TAG_KEYWORD, instead of accepting arbitrary value tags via IPP_TAG_ZERO.
Wrong-tag default attributes should be rejected as invalid printer data before their values
are passed into strdup(), strlcpy(), ppdPwgPpdizeName(), or similar string-processing
logic.