Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 66501

Summary: net-print/cups: Logfile User Credentials Disclosure (CAN-2004-0923)
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: marc.vila, printing
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.cups.org/str.php?L920
Whiteboard: B4 [glsa] vorlon
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-06 02:54:30 UTC
CUPS STR at http://www.cups.org/str.php?L920
"Device URIs containning username & password end up in error_log"
Fixed in CVS and patch available at the STR.

also http://secunia.com/advisories/12736/

Description:
Gary Smith has reported a vulnerability in CUPS, which can be exploited by malicious, local users to gain knowledge of sensitive information.

The problem is that user credentials are stored in the error_log log file when printing to a shared printer via Samba.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-06 02:55:42 UTC
printing herd, please patch/bump as needed
Comment 2 Marc Vila 2004-10-06 04:00:33 UTC
fedora already patched (upgraded) packages
http://secunia.com/advisories/12737/
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2004-10-06 06:22:18 UTC
applied the patch to cups-1.1.20-r3 and cups-1.1.21-r1
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-06 06:39:52 UTC
arches pls test and mark stable

cups-1.1.20-r3:
current KEYWORDS="x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64"
target KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64"

__

cups-1.1.21-r1 already has
current/target KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64"
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-06 06:42:08 UTC
forgot to add ppc64, pls also test cups-1.1.20-r3 and mark stable if possible
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-06 07:36:27 UTC
sparc stable.
Comment 7 Lars Weiler (RETIRED) gentoo-dev 2004-10-06 22:46:23 UTC
ppc stable
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-07 02:44:18 UTC
Stable on alpha.
Comment 9 SpanKY gentoo-dev 2004-10-07 18:54:16 UTC
arm/hppa/ia64/s390 is all set
Comment 10 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-07 22:19:59 UTC
stable amd64
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-10-08 01:14:06 UTC
Ready for a GLSA decision. I would say one is needed, it discloses exploitable passwords to local users, and that's bad.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-10-08 10:52:55 UTC
GLSA needed.
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-09 07:12:06 UTC
GLSA 200410-06
mips and ppc64 don't forget to mark stable to benefit from the GLSA
Comment 14 Tom Gall (RETIRED) gentoo-dev 2004-10-09 20:19:26 UTC
already stable on ppc64, .. thanks!
Comment 15 Hardave Riar (RETIRED) gentoo-dev 2004-10-16 20:28:27 UTC
Stable on mips.