#3754 closed defect (fixed)
Cups security issue - /etc/cups/cups-files.conf needed
| Reported by: | Fernando de Oliveira | Owned by: | |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
From
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791
Members of lpadmin cat read /var/run/cups/certs/0. With this key it is possible to access the cups web interface as admin. You can edit the cups config file and set the page log to any filename you want (for example /etc/shadow). Then you can read the file contents by viewing the cups page log. By printing you can also write some random data to the given file. As it is not possible to use the cups authentication with a normal webbrowser I created a *simple shell script* to show the effect. When called as any unprivileged user which is member of lpadmin it should display the contents of /etc/shadow
From
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5519.html
... mdeslaur> Upstream patch moves dangerous configuration options to a mdeslaur> second config file which is not web-editable. Although this is mdeslaur> a good long-term solution, the changes are too intrusive for a mdeslaur> security update. The most sensible thing to do at this time is mdeslaur> to completely disable modifying the cupsd.conf file via the web mdeslaur> interface.
But slightly different solution seems to have been found in Debian. I am attaching a patch that could perhaps be used instead of the one proposed upstream and referred to by Armin in the dev list, I got it from
https://launchpad.net/ubuntu/+archive/primary/+files/cups_1.6.1-0ubuntu11.3.debian.tar.gz
Change History (5)
by , 12 years ago
| Attachment: | CVE-2012-5519.patch added |
|---|
comment:1 by , 12 years ago
| Priority: | normal → high |
|---|---|
| Type: | enhancement → defect |
comment:2 by , 12 years ago
comment:3 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed in r10965
Please test and report any issues you may encounter.
Note:
See TracTickets
for help on using tickets.
As cups cannot be built with the patch suggested elsewhere by Armin, from:
http://patch-tracker.debian.org/patch/series/dl/cups/1.6.1-1/Split-configuration-files-STR-4223.patch
and also the attached patch (attached) does not work, I have changed cupsd.conf owner to root:root. Change back to root:lp, if necessary to browse an edit. Perhaps this will solve temporarily the problem, while I cannot find another solution.
FTR, the error when trying to build with the Split-configuration-files-STR-4223.patch: