From the oss-security mailing list at $URL: "a Debian user reported a bug in our BTS concerning cupsd. The bug is available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and upstream bug at http://www.cups.org/str.php?L4223 (restricted because it's tagged security). I'm unsure right now if it's an upstream issue or specific to Debian. Basically, members of the lpadmin group (which is the group having admin rights to cups, meaning they're supposed to be able to add/remove printeers etc.) have admin access to the web interface, where they can edit the config file and set some “dangerous” directives (like the log filenames), which enable them to read or write files as the user running the cupsd webserver. In Debian case at least, it's run as root, meaning we have a privilege escalation issue from lpadmin group to root." The issue also affects Gentoo: users of the lpadmin group can use the script in the Debian bug report to read files. Upstream bug: http://www.cups.org/str.php?L4223 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=875898
CVE-2012-5519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5519): CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface.
Cups 1.4.4 is already long gone from portage.
(In reply to comment #2) > Cups 1.4.4 is already long gone from portage. Relevance? This issue is fixed in 1.6.2 [1]. May we proceed to stabilize =net-print/cups-1.6.2 ? [1] http://www.cups.org/articles.php?L689+TNews+Q
I already have a tracker for cups-1.6 stabilization. Soon, please wait for the blocker to resolve. (It does not help that upstream cups bugtracker is still offline.)
(In reply to Sean Amoss from comment #3) > (In reply to comment #2) > > Cups 1.4.4 is already long gone from portage. > > Relevance? > > This issue is fixed in 1.6.2 [1]. May we proceed to stabilize > =net-print/cups-1.6.2 ? > > [1] http://www.cups.org/articles.php?L689+TNews+Q Please proceed with stabilization, using the following versions: net-print/cups-1.6.2-r5 net-print/cups-filters-1.0.34-r1 app-text/qpdf-4.1.0 I'll leave it to you to add arches; it's better if this goes through sec team channels.
(In reply to Andreas K. Hüttel from comment #5) [snip] > > Please proceed with stabilization, using the following versions: > > net-print/cups-1.6.2-r5 > net-print/cups-filters-1.0.34-r1 > app-text/qpdf-4.1.0 > > I'll leave it to you to add arches; it's better if this goes through sec > team channels. Thanks, Andreas. Arches teams, please test and mark stable.
amd64 stable
x86 stable
ppc stable
ppc64 stable
Stable for HPPA.
alpha stable
arm stable
ia64 stable
sh stable
sparc stable
All keywords dropped in vulnerable versions, except slow arches m68k and s390
s390 stable
@m68k: when you wake up, please immediately go for > > net-print/cups-1.6.3-r2 > net-print/cups-filters-1.0.35 > app-text/qpdf-4.1.0 >
m68k can continue to work while we vote. GLSA vote: yes (potential priv escalation, even if it's a specific set of users).
GLSA vote: yes New GLSA request filed
M68K is not anymore a stable arch, removing it from the cc list
Nothing to do for printing here anymore
This issue was resolved and addressed in GLSA 201404-01 at http://security.gentoo.org/glsa/glsa-201404-01.xml by GLSA coordinator Sergey Popov (pinkbyte).