Package: cups-daemon Version: 1.7.4-1 Severity: serious Justification: Information leak and possible security vulnerability Tags: security
Hi,
installing (not upgrading!) the cups-daemon package on a machine using systemd
as PID 1 creates the /etc/cups/cupsd-systemd-listen.conf file like this:
[Socket]
# This file was generated by CUPS and _WILL_ be deleted or overwritten
by it!
# It has to be kept in sync with the Port and Listen stanzas in
/etc/cups/cupsd.conf
# It is by default symlinked as cups-listen.conf in the
# /etc/systemd/system/cups.socket.d/ directory. Remove the symlink
# and write your own file there if you don't want this. See
systemd.socket(5).
# Matches the default 'Listen localhost:631' from cupsd.conf.default
ListenStream=0.0.0.0:631
ListenStream=[::]:631
As this file gets symlinked from the /etc/systemd/system/cups.socket.d/
directory, this means that systemd will listen on *all* interfaces and
hand the incoming connections to CUPS.
Admittedly, CUPS still enforces it's own access limitations set
in /etc/cups/cupsd.conf, but only after initially accepting the
connection. It will then respond with a HTTP 403 (Forbidden) error page,
confirming that there is indeed a CUPS daemon running and leaking (at
least) its version number and the system locale.
Best regards
Alexander Kurtz
signature.asc
Description: This is a digitally signed message part
