[blfs-book] [BLFS Trac] #3754: Cups security issue - /etc/cups/cups-files.conf needed

Thu, 17 Jan 2013 09:07:43 -0800 

#3754: Cups security issue - /etc/cups/cups-files.conf needed
-------------------------+--------------------------------------------------
 Reporter:  fo           |       Owner:  blfs-book@…                   
     Type:  enhancement  |      Status:  new                           
 Priority:  normal       |   Milestone:  current                       
Component:  BOOK         |     Version:  SVN                           
 Severity:  normal       |    Keywords:                                
-------------------------+--------------------------------------------------
 From

 [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791]


 {{{
 Members of lpadmin cat read /var/run/cups/certs/0. With this key it is
 possible to access the cups web interface as admin. You can edit the
 cups config file and set the page log to any filename you want (for
 example /etc/shadow). Then you can read the file contents by viewing
 the cups page log. By printing you can also write some random data to
 the given file.

 As it is not possible to use the cups authentication with a normal
 webbrowser I created a *simple shell script* to show the effect. When
 called as any unprivileged user which is member of lpadmin it should
 display the contents of /etc/shadow
 }}}


 From

 [http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5519.html]


 {{{
 ...
 mdeslaur> Upstream patch moves dangerous configuration options to a
 mdeslaur> second config file which is not web-editable. Although this is
 mdeslaur> a good long-term solution, the changes are too intrusive for a
 mdeslaur> security update. The most sensible thing to do at this time is
 mdeslaur> to completely disable modifying the cupsd.conf file via the web
 mdeslaur> interface.
 }}}


 But slightly different solution seems to have been found in Debian. I am
 attaching a patch that could perhaps be used instead of the one proposed
 upstream and referred to by Armin in the dev list, I got it from

 
[https://launchpad.net/ubuntu/+archive/primary/+files/cups_1.6.1-0ubuntu11.3.debian.tar.gz]

-- 
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/3754>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to