Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 442926 (CVE-2012-5519)

Summary: <net-print/cups-1.6.2-r5: Arbitrary file read/write (CVE-2012-5519)
Product: Gentoo Security Reporter: Sean Amoss (RETIRED) <ackle>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: kripton, radhermit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2012/11/10/5
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 463014    
Bug Blocks:    

Description Sean Amoss (RETIRED) gentoo-dev Security 2012-11-13 02:34:49 UTC
From the oss-security mailing list at $URL:

"a Debian user reported a bug in our BTS concerning cupsd. The bug is
available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and
upstream bug at http://www.cups.org/str.php?L4223 (restricted because
it's tagged security).

I'm unsure right now if it's an upstream issue or specific to Debian.

Basically, members of the lpadmin group (which is the group having admin
rights to cups, meaning they're supposed to be able to add/remove
printeers etc.) have admin access to the web interface, where they can
edit the config file and set some “dangerous” directives (like the log
filenames), which enable them to read or write files as the user running
the cupsd webserver.

In Debian case at least, it's run as root, meaning we have a privilege
escalation issue from lpadmin group to root."

The issue also affects Gentoo: users of the lpadmin group can use the script in the Debian bug report to read files. 

Upstream bug:
http://www.cups.org/str.php?L4223

Debian bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791

Red Hat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=875898
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 12:49:31 UTC
CVE-2012-5519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5519):
  CUPS 1.4.4, when running in certain Linux distributions such as Debian
  GNU/Linux, stores the web interface administrator key in
  /var/run/cups/certs/0 using certain permissions, which allows local users in
  the lpadmin group to read or write arbitrary files as root by leveraging the
  web interface.
Comment 2 Andreas K. Hüttel gentoo-dev 2013-03-24 20:33:06 UTC
Cups 1.4.4 is already long gone from portage.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-24 21:52:34 UTC
(In reply to comment #2)
> Cups 1.4.4 is already long gone from portage.

Relevance? 

This issue is fixed in 1.6.2 [1]. May we proceed to stabilize =net-print/cups-1.6.2 ?

[1] http://www.cups.org/articles.php?L689+TNews+Q
Comment 4 Andreas K. Hüttel gentoo-dev 2013-06-26 22:31:34 UTC
I already have a tracker for cups-1.6 stabilization. Soon, please wait for the blocker to resolve.

(It does not help that upstream cups bugtracker is still offline.)
Comment 5 Andreas K. Hüttel gentoo-dev 2013-06-30 12:53:58 UTC
(In reply to Sean Amoss from comment #3)
> (In reply to comment #2)
> > Cups 1.4.4 is already long gone from portage.
> 
> Relevance? 
> 
> This issue is fixed in 1.6.2 [1]. May we proceed to stabilize
> =net-print/cups-1.6.2 ?
> 
> [1] http://www.cups.org/articles.php?L689+TNews+Q

Please proceed with stabilization, using the following versions:

net-print/cups-1.6.2-r5
net-print/cups-filters-1.0.34-r1
app-text/qpdf-4.1.0

I'll leave it to you to add arches; it's better if this goes through sec team channels.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-06-30 13:03:09 UTC
(In reply to Andreas K. Hüttel from comment #5)
[snip]
> 
> Please proceed with stabilization, using the following versions:
> 
> net-print/cups-1.6.2-r5
> net-print/cups-filters-1.0.34-r1
> app-text/qpdf-4.1.0
> 
> I'll leave it to you to add arches; it's better if this goes through sec
> team channels.

Thanks, Andreas. Arches teams, please test and mark stable.
Comment 7 Agostino Sarubbo gentoo-dev 2013-06-30 16:58:30 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-06-30 17:13:53 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-06-30 21:14:00 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-07-04 14:14:35 UTC
ppc64 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-05 15:23:14 UTC
Stable for HPPA.
Comment 12 Agostino Sarubbo gentoo-dev 2013-07-06 17:05:56 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-07-07 12:46:35 UTC
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-07-07 15:17:01 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-07-22 06:35:32 UTC
sh stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-07-22 08:54:40 UTC
sparc stable
Comment 17 Andreas K. Hüttel gentoo-dev 2013-07-25 11:51:59 UTC
All keywords dropped in vulnerable versions, except slow arches m68k and s390
Comment 18 Agostino Sarubbo gentoo-dev 2013-08-06 12:34:36 UTC
s390 stable
Comment 19 Andreas K. Hüttel gentoo-dev 2013-08-11 17:55:02 UTC
@m68k: when you wake up, please immediately go for 

> 
> net-print/cups-1.6.3-r2
> net-print/cups-filters-1.0.35
> app-text/qpdf-4.1.0
>
Comment 20 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-29 17:01:31 UTC
m68k can continue to work while we vote. GLSA vote: yes (potential priv escalation, even if it's a specific set of users).
Comment 21 Sergey Popov gentoo-dev 2013-08-30 11:13:46 UTC
GLSA vote: yes

New GLSA request filed
Comment 22 Agostino Sarubbo gentoo-dev 2013-09-28 20:53:35 UTC
M68K is not anymore a stable arch, removing it from the cc list
Comment 23 Andreas K. Hüttel gentoo-dev 2013-10-07 10:45:32 UTC
Nothing to do for printing here anymore
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2014-04-07 08:25:44 UTC
This issue was resolved and addressed in
 GLSA 201404-01 at http://security.gentoo.org/glsa/glsa-201404-01.xml
by GLSA coordinator Sergey Popov (pinkbyte).