Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#3754 closed defect (fixed)

Cups security issue - /etc/cups/cups-files.conf needed

Reported by: Fernando de Oliveira Owned by: blfs-book@…
Priority: high Milestone:
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

From

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791

Members of lpadmin cat read /var/run/cups/certs/0. With this key it is 
possible to access the cups web interface as admin. You can edit the 
cups config file and set the page log to any filename you want (for 
example /etc/shadow). Then you can read the file contents by viewing 
the cups page log. By printing you can also write some random data to 
the given file.

As it is not possible to use the cups authentication with a normal 
webbrowser I created a *simple shell script* to show the effect. When 
called as any unprivileged user which is member of lpadmin it should 
display the contents of /etc/shadow

From

http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5519.html

...
mdeslaur> Upstream patch moves dangerous configuration options to a
mdeslaur> second config file which is not web-editable. Although this is
mdeslaur> a good long-term solution, the changes are too intrusive for a
mdeslaur> security update. The most sensible thing to do at this time is
mdeslaur> to completely disable modifying the cupsd.conf file via the web
mdeslaur> interface.

But slightly different solution seems to have been found in Debian. I am attaching a patch that could perhaps be used instead of the one proposed upstream and referred to by Armin in the dev list, I got it from

https://launchpad.net/ubuntu/+archive/primary/+files/cups_1.6.1-0ubuntu11.3.debian.tar.gz

Attachments (1)

CVE-2012-5519.patch (82.8 KB ) - added by Fernando de Oliveira 9 years ago.

Download all attachments as: .zip

Change History (5)

by Fernando de Oliveira, 9 years ago

Attachment: CVE-2012-5519.patch added

comment:1 by Armin K, 9 years ago

Priority: normalhigh
Type: enhancementdefect

comment:2 by Fernando de Oliveira, 9 years ago

As cups cannot be built with the patch suggested elsewhere by Armin, from:

http://patch-tracker.debian.org/patch/series/dl/cups/1.6.1-1/Split-configuration-files-STR-4223.patch

and also the attached patch (attached) does not work, I have changed cupsd.conf owner to root:root. Change back to root:lp, if necessary to browse an edit. Perhaps this will solve temporarily the problem, while I cannot find another solution.

FTR, the error when trying to build with the Split-configuration-files-STR-4223.patch:

make[1]: ***  Sem regra para processar o alvo `cups-files.conf.5.gz', necessário por `all'.  Pare.

My free translation:

make[1]: ***  No rule to process the target `cups-files.conf.5.gz', necessary for `all'.  Stop.

comment:3 by Armin K, 9 years ago

Resolution: fixed
Status: newclosed

Fixed in r10965

Please test and report any issues you may encounter.

comment:4 by bdubbs@…, 8 years ago

Milestone: current

Milestone current deleted

Note: See TracTickets for help on using tickets.