|Summary:||<net-print/cups-1.6.2-r5: Arbitrary file read/write (CVE-2012-5519)|
|Product:||Gentoo Security||Reporter:||Sean Amoss (RETIRED) <ackle>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||463014|
Description Sean Amoss (RETIRED) 2012-11-13 02:34:49 UTC
From the oss-security mailing list at $URL: "a Debian user reported a bug in our BTS concerning cupsd. The bug is available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and upstream bug at http://www.cups.org/str.php?L4223 (restricted because it's tagged security). I'm unsure right now if it's an upstream issue or specific to Debian. Basically, members of the lpadmin group (which is the group having admin rights to cups, meaning they're supposed to be able to add/remove printeers etc.) have admin access to the web interface, where they can edit the config file and set some “dangerous” directives (like the log filenames), which enable them to read or write files as the user running the cupsd webserver. In Debian case at least, it's run as root, meaning we have a privilege escalation issue from lpadmin group to root." The issue also affects Gentoo: users of the lpadmin group can use the script in the Debian bug report to read files. Upstream bug: http://www.cups.org/str.php?L4223 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=875898
Comment 1 GLSAMaker/CVETool Bot 2012-11-20 12:49:31 UTC
CVE-2012-5519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5519): CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface.
Comment 2 Andreas K. Hüttel 2013-03-24 20:33:06 UTC
Cups 1.4.4 is already long gone from portage.
Comment 3 Sean Amoss (RETIRED) 2013-03-24 21:52:34 UTC
(In reply to comment #2) > Cups 1.4.4 is already long gone from portage. Relevance? This issue is fixed in 1.6.2 . May we proceed to stabilize =net-print/cups-1.6.2 ?  http://www.cups.org/articles.php?L689+TNews+Q
Comment 4 Andreas K. Hüttel 2013-06-26 22:31:34 UTC
I already have a tracker for cups-1.6 stabilization. Soon, please wait for the blocker to resolve. (It does not help that upstream cups bugtracker is still offline.)
Comment 5 Andreas K. Hüttel 2013-06-30 12:53:58 UTC
(In reply to Sean Amoss from comment #3) > (In reply to comment #2) > > Cups 1.4.4 is already long gone from portage. > > Relevance? > > This issue is fixed in 1.6.2 . May we proceed to stabilize > =net-print/cups-1.6.2 ? > >  http://www.cups.org/articles.php?L689+TNews+Q Please proceed with stabilization, using the following versions: net-print/cups-1.6.2-r5 net-print/cups-filters-1.0.34-r1 app-text/qpdf-4.1.0 I'll leave it to you to add arches; it's better if this goes through sec team channels.
Comment 6 Sean Amoss (RETIRED) 2013-06-30 13:03:09 UTC
(In reply to Andreas K. Hüttel from comment #5) [snip] > > Please proceed with stabilization, using the following versions: > > net-print/cups-1.6.2-r5 > net-print/cups-filters-1.0.34-r1 > app-text/qpdf-4.1.0 > > I'll leave it to you to add arches; it's better if this goes through sec > team channels. Thanks, Andreas. Arches teams, please test and mark stable.
Comment 7 Agostino Sarubbo 2013-06-30 16:58:30 UTC
Comment 8 Agostino Sarubbo 2013-06-30 17:13:53 UTC
Comment 9 Agostino Sarubbo 2013-06-30 21:14:00 UTC
Comment 10 Agostino Sarubbo 2013-07-04 14:14:35 UTC
Comment 11 Jeroen Roovers (RETIRED) 2013-07-05 15:23:14 UTC
Stable for HPPA.
Comment 12 Agostino Sarubbo 2013-07-06 17:05:56 UTC
Comment 13 Agostino Sarubbo 2013-07-07 12:46:35 UTC
Comment 14 Agostino Sarubbo 2013-07-07 15:17:01 UTC
Comment 15 Agostino Sarubbo 2013-07-22 06:35:32 UTC
Comment 16 Agostino Sarubbo 2013-07-22 08:54:40 UTC
Comment 17 Andreas K. Hüttel 2013-07-25 11:51:59 UTC
All keywords dropped in vulnerable versions, except slow arches m68k and s390
Comment 18 Agostino Sarubbo 2013-08-06 12:34:36 UTC
Comment 19 Andreas K. Hüttel 2013-08-11 17:55:02 UTC
@m68k: when you wake up, please immediately go for > > net-print/cups-1.6.3-r2 > net-print/cups-filters-1.0.35 > app-text/qpdf-4.1.0 >
Comment 20 Chris Reffett (RETIRED) 2013-08-29 17:01:31 UTC
m68k can continue to work while we vote. GLSA vote: yes (potential priv escalation, even if it's a specific set of users).
Comment 21 Sergey Popov 2013-08-30 11:13:46 UTC
GLSA vote: yes New GLSA request filed
Comment 22 Agostino Sarubbo 2013-09-28 20:53:35 UTC
M68K is not anymore a stable arch, removing it from the cc list
Comment 23 Andreas K. Hüttel 2013-10-07 10:45:32 UTC
Nothing to do for printing here anymore
Comment 24 GLSAMaker/CVETool Bot 2014-04-07 08:25:44 UTC
This issue was resolved and addressed in GLSA 201404-01 at http://security.gentoo.org/glsa/glsa-201404-01.xml by GLSA coordinator Sergey Popov (pinkbyte).