Summary: | <net-print/cups-1.6.2-r5: Arbitrary file read/write (CVE-2012-5519) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sean Amoss (RETIRED) <ackle> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | kripton, radhermit |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2012/11/10/5 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 463014 | ||
Bug Blocks: |
Description
Sean Amoss (RETIRED)
2012-11-13 02:34:49 UTC
CVE-2012-5519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5519): CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface. Cups 1.4.4 is already long gone from portage. (In reply to comment #2) > Cups 1.4.4 is already long gone from portage. Relevance? This issue is fixed in 1.6.2 [1]. May we proceed to stabilize =net-print/cups-1.6.2 ? [1] http://www.cups.org/articles.php?L689+TNews+Q I already have a tracker for cups-1.6 stabilization. Soon, please wait for the blocker to resolve. (It does not help that upstream cups bugtracker is still offline.) (In reply to Sean Amoss from comment #3) > (In reply to comment #2) > > Cups 1.4.4 is already long gone from portage. > > Relevance? > > This issue is fixed in 1.6.2 [1]. May we proceed to stabilize > =net-print/cups-1.6.2 ? > > [1] http://www.cups.org/articles.php?L689+TNews+Q Please proceed with stabilization, using the following versions: net-print/cups-1.6.2-r5 net-print/cups-filters-1.0.34-r1 app-text/qpdf-4.1.0 I'll leave it to you to add arches; it's better if this goes through sec team channels. (In reply to Andreas K. Hüttel from comment #5) [snip] > > Please proceed with stabilization, using the following versions: > > net-print/cups-1.6.2-r5 > net-print/cups-filters-1.0.34-r1 > app-text/qpdf-4.1.0 > > I'll leave it to you to add arches; it's better if this goes through sec > team channels. Thanks, Andreas. Arches teams, please test and mark stable. amd64 stable x86 stable ppc stable ppc64 stable Stable for HPPA. alpha stable arm stable ia64 stable sh stable sparc stable All keywords dropped in vulnerable versions, except slow arches m68k and s390 s390 stable
@m68k: when you wake up, please immediately go for
>
> net-print/cups-1.6.3-r2
> net-print/cups-filters-1.0.35
> app-text/qpdf-4.1.0
>
m68k can continue to work while we vote. GLSA vote: yes (potential priv escalation, even if it's a specific set of users). GLSA vote: yes New GLSA request filed M68K is not anymore a stable arch, removing it from the cc list Nothing to do for printing here anymore This issue was resolved and addressed in GLSA 201404-01 at http://security.gentoo.org/glsa/glsa-201404-01.xml by GLSA coordinator Sergey Popov (pinkbyte). |