Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 66501 - net-print/cups: Logfile User Credentials Disclosure (CAN-2004-0923)
Summary: net-print/cups: Logfile User Credentials Disclosure (CAN-2004-0923)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] vorlon
Depends on:
Reported: 2004-10-06 02:54 UTC by Matthias Geerdsen (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-06 02:54:30 UTC
"Device URIs containning username & password end up in error_log"
Fixed in CVS and patch available at the STR.


Gary Smith has reported a vulnerability in CUPS, which can be exploited by malicious, local users to gain knowledge of sensitive information.

The problem is that user credentials are stored in the error_log log file when printing to a shared printer via Samba.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-06 02:55:42 UTC
printing herd, please patch/bump as needed
Comment 2 Marc Vila 2004-10-06 04:00:33 UTC
fedora already patched (upgraded) packages
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2004-10-06 06:22:18 UTC
applied the patch to cups-1.1.20-r3 and cups-1.1.21-r1
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-06 06:39:52 UTC
arches pls test and mark stable

current KEYWORDS="x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64"
target KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64"


cups-1.1.21-r1 already has
current/target KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64"
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-06 06:42:08 UTC
forgot to add ppc64, pls also test cups-1.1.20-r3 and mark stable if possible
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-06 07:36:27 UTC
sparc stable.
Comment 7 Lars Weiler (RETIRED) gentoo-dev 2004-10-06 22:46:23 UTC
ppc stable
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-07 02:44:18 UTC
Stable on alpha.
Comment 9 SpanKY gentoo-dev 2004-10-07 18:54:16 UTC
arm/hppa/ia64/s390 is all set
Comment 10 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-07 22:19:59 UTC
stable amd64
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-10-08 01:14:06 UTC
Ready for a GLSA decision. I would say one is needed, it discloses exploitable passwords to local users, and that's bad.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-10-08 10:52:55 UTC
GLSA needed.
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-09 07:12:06 UTC
GLSA 200410-06
mips and ppc64 don't forget to mark stable to benefit from the GLSA
Comment 14 Tom Gall (RETIRED) gentoo-dev 2004-10-09 20:19:26 UTC
already stable on ppc64, .. thanks!
Comment 15 Hardave Riar (RETIRED) gentoo-dev 2004-10-16 20:28:27 UTC
Stable on mips.