Le mercredi, 28 novembre 2012 05.38:58, Michael Sweet a écrit : > After looking at this patch in detail, it doesn't actually prevent users in > the lpadmin group from modifying cupsd.conf and performing the specified > privilege escalation. > > An alternate fix for cups-1.5 and earlier that specifically addresses the > reported problem by requiring the log files to reside in CUPS_LOGDIR:
Indeed, thanks. BUT, as far as I can test, this patch lets some potential attacks open, such as setting DocumentRoot to /etc (then access http://localhost:631/shadow …). With some imagination, you could set SystemGroup to "lpadmin other-group", granting cups administration rights to "other-group", etc. At least DocumentRoot has to be constrained to stay what the package says it is IMHO. Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
