Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 450282 (CVE-2012-6094)

Summary: <net-print/cups-2.0.0: 'Listen localhost:631' option not honoured correctly on IPv6-enabled systems when systemd used for CUPS socket activation (CVE-2012-6094)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: cornicx, printing, systemd
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=891942
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-01-04 19:19:04 UTC
From $URL :

During the process of CUPS socket activation code refactoring in favour of systemd capability a 
security flaw was found in the way CUPS service honoured Listen localhost:631 cupsd.conf 
configuration option. The setting was recognized properly for IPv4-enabled systems, but failed to 
be correctly applied for IPv6-enabled systems. As a result, a remote attacker could use this flaw 
to obtain (unauthorized) access to the CUPS web-based administration interface.

References:
[1] https://bugzilla.novell.com/show_bug.cgi?id=795624
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-03 21:20:49 UTC
printing: Fedora's fix [1] was to drop the IP socket activation

[1] http://pkgs.fedoraproject.org/cgit/cups.git/commit/cups-systemd-socket.patch?id=6ef39188975c03f6132a98c8cad20ce80b3d95d9
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2013-06-06 15:13:59 UTC
@systemd: please help, because I dont really know what this is about
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-06-06 17:24:11 UTC
I don't understand it either. There's a problem with IPv6, so Fedora disabled IPv4? ;f
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2013-06-26 22:56:53 UTC
This is not a regression in 1.6
Comment 5 tman 2014-10-25 23:35:25 UTC
*** Bug 526860 has been marked as a duplicate of this bug. ***
Comment 6 tman 2014-10-25 23:40:40 UTC
this bug report is so old now, but i still get this error with

net-print/cups-2.0.0-r2 and systemd 

so there is a solution insight?
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-11-23 13:32:17 UTC
Package is now stable, but not vulnerable.  Leaving original whiteboard values in place.

GLSA Vote: No