Debian Bug report logs - #409356
cups-pdf: allows unprivileged user to read parts of any file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Grzegorz Żur <grzegorz.zur@gmail.com>

To: submit@bugs.debian.org

Subject: cups-pdf: allows unprivileged user to read parts of any file

Date: Fri, 02 Feb 2007 11:31:41 +0100

Package: cups-pdf
Version: 2.4.2-1
Severity: critical
Justification: root security hole
Tags: security

Unprivileged user can execute /usr/lib/cups/backend/cups-pdf to read
parts of any file. End of file is printed by Ghostscript in error report.

Execution of this command as unprivileged user
  /usr/lib/cups/backend/cups-pdf shadow user title 1 '' /etc/shadow
will result in Ghostscript error showing last line of /etc/shadow file
(possibly containing password hash)
  ERROR: /undefined in saned:!:13511:0:99999:7:::
  ...

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-albemuth
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)

Versions of packages cups-pdf depends on:
ii  cupsys                   1.2.7-3         Common UNIX Printing
System(tm) -
ii  gs-esp                   8.15.3.dfsg.1-1 The Ghostscript PostScript
interpr
ii  libc6                    2.3.6.ds1-10    GNU C Library: Shared libraries

cups-pdf recommends no packages.

-- no debconf information

-- 
Grzegorz Zur

Message #10 received at 409356@bugs.debian.org (full text, mbox, reply):

From: "Martin-Éric Racine" <q-funk@iki.fi>

To: "Grzegorz Żur" <grzegorz.zur@gmail.com>, 409356@bugs.debian.org

Subject: Re: Bug#409356: cups-pdf: allows unprivileged user to read parts of any file

Date: Fri, 2 Feb 2007 12:49:55 +0200

On 2/2/07, Grzegorz Żur <grzegorz.zur@gmail.com> wrote:
> Package: cups-pdf
> Version: 2.4.2-1
> Severity: critical
> Justification: root security hole
> Tags: security
>
> Unprivileged user can execute /usr/lib/cups/backend/cups-pdf to read
> parts of any file. End of file is printed by Ghostscript in error report.
>
> Execution of this command as unprivileged user
>   /usr/lib/cups/backend/cups-pdf shadow user title 1 '' /etc/shadow
> will result in Ghostscript error showing last line of /etc/shadow file
> (possibly containing password hash)
>   ERROR: /undefined in saned:!:13511:0:99999:7:::

Upstream is subscribed to this package's PTS, so I'll let him comment
on this one.

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Message #15 received at 409356@bugs.debian.org (full text, mbox, reply):

From: Volker Christian Behr <behr@physik.uni-wuerzburg.de>

To: Grzegorz Żur <grzegorz.zur@gmail.com>, 409356@bugs.debian.org

Subject: Re: Bug#409356: cups-pdf: allows unprivileged user to read parts of any file

Date: Fri, 02 Feb 2007 11:52:52 +0100

I am the CUPS-PDF developer. Though I am not using Debian I am quite
confused by this behaviour: CUPS-PDF is supposed to be mode 700 on CUPS
>v1.2.x environments (so unprivileged users should not even be able to
execute it). Furthermore CUPS-PDF is explicitely not meant to be
installed SUID 'root' (neither is ghostscript) - so how can those two
programs access /etc/shadow at all?
Please check the permissions of the CUPS-PDF backend and GS - neither
should be SUID 'root' under any circumstances. CUPS-PDF should even more
be mode 700 executable by 'root' only. If this is not the case in the
default installation it has to be fixed in the Debian package.

On Fri, 2007-02-02 at 11:31 +0100, Grzegorz Żur wrote:
> Package: cups-pdf
> Version: 2.4.2-1
> Severity: critical
> Justification: root security hole
> Tags: security
> 
> Unprivileged user can execute /usr/lib/cups/backend/cups-pdf to read
> parts of any file. End of file is printed by Ghostscript in error report.
> 
> Execution of this command as unprivileged user
>   /usr/lib/cups/backend/cups-pdf shadow user title 1 '' /etc/shadow
> will result in Ghostscript error showing last line of /etc/shadow file
> (possibly containing password hash)
>   ERROR: /undefined in saned:!:13511:0:99999:7:::
>   ...
> 
> -- System Information:
> Debian Release: 4.0
>   APT prefers unstable
>   APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
> 'experimental')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.18-albemuth
> Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
> 
> Versions of packages cups-pdf depends on:
> ii  cupsys                   1.2.7-3         Common UNIX Printing
> System(tm) -
> ii  gs-esp                   8.15.3.dfsg.1-1 The Ghostscript PostScript
> interpr
> ii  libc6                    2.3.6.ds1-10    GNU C Library: Shared libraries
> 
> cups-pdf recommends no packages.
> 
> -- no debconf information
> 
-- 

Volker Christian Behr
Experimentelle Physik V (Biophysik), Physikalisches Institut
Universitaet Wuerzburg, Am Hubland, 97074 Wuerzburg, Germany

Office: Room F-069a
+49-931-888-5766 (phone)
+49-931-888-5851 (fax)

Message #20 received at 409356@bugs.debian.org (full text, mbox, reply):

From: Grzegorz Żur <grzegorz.zur@gmail.com>

To: 409356@bugs.debian.org

Cc: Volker Christian Behr <behr@physik.uni-wuerzburg.de>

Subject: Re: Bug#409356: cups-pdf: allows unprivileged user to read parts of any file

Date: Fri, 02 Feb 2007 12:31:06 +0100

Volker Christian Behr wrote:
> I am the CUPS-PDF developer. Though I am not using Debian I am quite
> confused by this behaviour: CUPS-PDF is supposed to be mode 700 on CUPS
>> v1.2.x environments (so unprivileged users should not even be able to
> execute it). Furthermore CUPS-PDF is explicitely not meant to be
> installed SUID 'root' (neither is ghostscript) - so how can those two
> programs access /etc/shadow at all?
> Please check the permissions of the CUPS-PDF backend and GS - neither
> should be SUID 'root' under any circumstances. CUPS-PDF should even more
> be mode 700 executable by 'root' only. If this is not the case in the
> default installation it has to be fixed in the Debian package.
> 

You are right! It's only on Debian (and derivatives?) and that's why I
report it as Debian's bug, not directly to you. The problem is in
debian/postinst script. It executes:
  chmod 6755 /usr/lib/cups/backend/cups-pdf

-- 
Grzegorz Zur

Message #25 received at 409356@bugs.debian.org (full text, mbox, reply):

From: "Martin-Éric Racine" <q-funk@iki.fi>

To: "Volker Christian Behr" <behr@physik.uni-wuerzburg.de>, 409356@bugs.debian.org

Subject: Re: Bug#409356: cups-pdf: allows unprivileged user to read parts of any file

Date: Fri, 2 Feb 2007 13:49:30 +0200

On 2/2/07, Volker Christian Behr <behr@physik.uni-wuerzburg.de> wrote:
> Please check the permissions of the CUPS-PDF backend and GS - neither
> should be SUID 'root' under any circumstances. CUPS-PDF should even more
> be mode 700 executable by 'root' only. If this is not the case in the
> default installation it has to be fixed in the Debian package.

Permissions were made 6755 to enable outputting documents to someone's
home directory (or a subdirectory). Unless I'm mistaken, 0700 would
not enable the same thing?

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Message #30 received at 409356@bugs.debian.org (full text, mbox, reply):

From: Volker Christian Behr <behr@physik.uni-wuerzburg.de>

To: Martin-Éric Racine <q-funk@iki.fi>, 409356@bugs.debian.org

Subject: Re: Bug#409356: cups-pdf: allows unprivileged user to read parts of any file

Date: Fri, 02 Feb 2007 14:06:03 +0100

On Fri, 2007-02-02 at 13:49 +0200, =?UTF-8?Q? Martin-=C3=89ric?= Racine
wrote:
> On 2/2/07, Volker Christian Behr <behr@physik.uni-wuerzburg.de> wrote:
> > Please check the permissions of the CUPS-PDF backend and GS - neither
> > should be SUID 'root' under any circumstances. CUPS-PDF should even more
> > be mode 700 executable by 'root' only. If this is not the case in the
> > default installation it has to be fixed in the Debian package.
> 
> Permissions were made 6755 to enable outputting documents to someone's
> home directory (or a subdirectory). Unless I'm mistaken, 0700 would
> not enable the same thing?

Starting with version 1.2.0 CUPS will call any backend that is owned by
'root' and set to mode 0700 with full root privileges which should
enable CUPS-PDF to print to any destination.
I know Ubuntu to have modified CUPS (e.g. the web-admin interface is
disabled) but I cannot tell what other changes they did.
I strongly reccommend making CUPS-PDF mode 0700 again since this is
to-the-letter within the specifications of CUPS.



-- 

Volker Christian Behr
Experimentelle Physik V (Biophysik), Physikalisches Institut
Universitaet Wuerzburg, Am Hubland, 97074 Wuerzburg, Germany

Office: Room F-069a
+49-931-888-5766 (phone)
+49-931-888-5851 (fax)

Message #35 received at 409356@bugs.debian.org (full text, mbox, reply):

From: "Martin-Éric Racine" <q-funk@iki.fi>

To: "Volker Christian Behr" <behr@physik.uni-wuerzburg.de>

Cc: 409356@bugs.debian.org

Subject: Re: Bug#409356: cups-pdf: allows unprivileged user to read parts of any file

Date: Fri, 2 Feb 2007 15:11:28 +0200

On 2/2/07, Volker Christian Behr <behr@physik.uni-wuerzburg.de> wrote:
> On Fri, 2007-02-02 at 13:49 +0200, =?UTF-8?Q? Martin-=C3=89ric?= Racine
> wrote:
> > On 2/2/07, Volker Christian Behr <behr@physik.uni-wuerzburg.de> wrote:
> > > Please check the permissions of the CUPS-PDF backend and GS - neither
> > > should be SUID 'root' under any circumstances. CUPS-PDF should even more
> > > be mode 700 executable by 'root' only. If this is not the case in the
> > > default installation it has to be fixed in the Debian package.
> >
> > Permissions were made 6755 to enable outputting documents to someone's
> > home directory (or a subdirectory). Unless I'm mistaken, 0700 would
> > not enable the same thing?
>
> Starting with version 1.2.0 CUPS will call any backend that is owned by
> 'root' and set to mode 0700 with full root privileges which should
> enable CUPS-PDF to print to any destination.
> I know Ubuntu to have modified CUPS (e.g. the web-admin interface is
> disabled) but I cannot tell what other changes they did.
> I strongly reccommend making CUPS-PDF mode 0700 again since this is
> to-the-letter within the specifications of CUPS.

Ubuntu doesn't run CUPS as root, which is what prevents us from
outputting files to user directories with the backend as root:root
0700.

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Message #40 received at 409356@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: =?UTF-8?Q? Martin-=C3=89ric?= Racine <q-funk@iki.fi>, 409356@bugs.debian.org

Cc: Volker Christian Behr <behr@physik.uni-wuerzburg.de>

Subject: Re: Bug#409356: cups-pdf: allows unprivileged user to read parts of any file

Date: Fri, 2 Feb 2007 15:43:14 -0800

On Fri, Feb 02, 2007 at 01:49:30PM +0200, =?UTF-8?Q? Martin-=C3=89ric?= Racine wrote:
> On 2/2/07, Volker Christian Behr <behr@physik.uni-wuerzburg.de> wrote:
> >Please check the permissions of the CUPS-PDF backend and GS - neither
> >should be SUID 'root' under any circumstances. CUPS-PDF should even more
> >be mode 700 executable by 'root' only. If this is not the case in the
> >default installation it has to be fixed in the Debian package.

> Permissions were made 6755 to enable outputting documents to someone's
> home directory (or a subdirectory).

That's a piss-poor excuse for marking an unaudited binary as suid-root.

And this:

cups-pdf (2.4.1-3) unstable; urgency=low

  * Changed the backend permissions to 6755 for Ubuntu compatibility.

 -- Martin-Éric Racine <q-funk@iki.fi>  Fri, 29 Sep 2006 02:26:39 +0300

is an even *worse* excuse!

On Fri, Feb 02, 2007 at 03:11:28PM +0200, =?UTF-8?Q? Martin-=C3=89ric?= Racine wrote:
> On 2/2/07, Volker Christian Behr <behr@physik.uni-wuerzburg.de> wrote:
> >On Fri, 2007-02-02 at 13:49 +0200, =?UTF-8?Q? Martin-=C3=89ric?= Racine
> >wrote:
> >> On 2/2/07, Volker Christian Behr <behr@physik.uni-wuerzburg.de> wrote:
> >> > Please check the permissions of the CUPS-PDF backend and GS - neither
> >> > should be SUID 'root' under any circumstances. CUPS-PDF should even 
> >more
> >> > be mode 700 executable by 'root' only. If this is not the case in the
> >> > default installation it has to be fixed in the Debian package.

> >> Permissions were made 6755 to enable outputting documents to someone's
> >> home directory (or a subdirectory). Unless I'm mistaken, 0700 would
> >> not enable the same thing?

> >Starting with version 1.2.0 CUPS will call any backend that is owned by
> >'root' and set to mode 0700 with full root privileges which should
> >enable CUPS-PDF to print to any destination.
> >I know Ubuntu to have modified CUPS (e.g. the web-admin interface is
> >disabled) but I cannot tell what other changes they did.
> >I strongly reccommend making CUPS-PDF mode 0700 again since this is
> >to-the-letter within the specifications of CUPS.

> Ubuntu doesn't run CUPS as root, which is what prevents us from
> outputting files to user directories with the backend as root:root
> 0700.

Debian does run CUPS as root.  What Ubuntu does is irrelevant.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #47 received at 409356-close@bugs.debian.org (full text, mbox, reply):

From: Martin-Éric Racine <q-funk@iki.fi>

To: 409356-close@bugs.debian.org

Subject: Bug#409356: fixed in cups-pdf 2.4.2-2

Date: Wed, 14 Feb 2007 16:47:03 +0000

Source: cups-pdf
Source-Version: 2.4.2-2

We believe that the bug you reported is fixed in the latest version of
cups-pdf, which is due to be installed in the Debian FTP archive:

cups-pdf_2.4.2-2.diff.gz
  to pool/main/c/cups-pdf/cups-pdf_2.4.2-2.diff.gz
cups-pdf_2.4.2-2.dsc
  to pool/main/c/cups-pdf/cups-pdf_2.4.2-2.dsc
cups-pdf_2.4.2-2_i386.deb
  to pool/main/c/cups-pdf/cups-pdf_2.4.2-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 409356@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin-Éric Racine <q-funk@iki.fi> (supplier of updated cups-pdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Feb 2007 17:45:57 +0200
Source: cups-pdf
Binary: cups-pdf
Architecture: source i386
Version: 2.4.2-2
Distribution: unstable
Urgency: high
Maintainer: Martin-Éric Racine <q-funk@iki.fi>
Changed-By: Martin-Éric Racine <q-funk@iki.fi>
Description: 
 cups-pdf   - PDF printer for CUPS
Closes: 409356
Changes: 
 cups-pdf (2.4.2-2) unstable; urgency=high
 .
   * Upgraded backend permissions to match Policy 10.9 (Closes: #409356).
Files: 
 ad48d2a6d1cec6c9df2bfc9bcbe14607 630 graphics optional cups-pdf_2.4.2-2.dsc
 139775c326e991d0ea9ce78a8118c8c2 6544 graphics optional cups-pdf_2.4.2-2.diff.gz
 ff7ede9ba9d0da7c2515b0f6e74c268c 40298 graphics optional cups-pdf_2.4.2-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF00g/y2+jQOcHWlQRAnkiAJ4r5RYZLGiBvV6g8bXjC1WdsT8YSACaA+Ss
gx9irHfX5HfkOwxY6kSitnE=
=cERf
-----END PGP SIGNATURE-----

Message #52 received at 409356@bugs.debian.org (full text, mbox, reply):

From: Klaumi Klingsporn <klaumikli@gmx.de>

To: Debian Bug Tracking System <409356@bugs.debian.org>

Subject: Bugfix in cups-pdf_2.4.2-2 makes cups-pdf unusable

Date: Mon, 19 Feb 2007 10:20:09 +0100

Package: cups-pdf
Version: 2.4.2-2
Followup-For: Bug #409356

After the permission-change of /usr/lib/backend/cups-pdf in
cups-pdf_2.4.2-2 there is no output in $Home/PDF anymore.
The permissions have to be set to 104754 to get an output:

ls -l /usr/lib/cups/backend/cups-pdf
-rwsr-xr-- 1 root lp 23776 2007-02-14 18:33
/usr/lib/cups/backend/cups-pdf

I don't think that there is a security hole, because no unprivileged
need to be in the group lp. On my system the execution of the initial
mentioned command:

"/usr/lib/cups/backend/cups-pdf shadow user title 1 '' /etc/shadow"

by an unprivileged user only results in:

"bash: /usr/lib/cups/backend/cups-pdf: Keine Berechtigung"

Sorry for reopening the bug, but there seemed no other way to make it
working ;-)

Klaumi


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-k7
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE (charmap=ISO-8859-15) (ignored: LC_ALL set to de_DE@euro)

Versions of packages cups-pdf depends on:
hi  cupsys                   1.2.7-4         Common UNIX Printing System(tm) - 
ii  gs-esp                   8.15.3.dfsg.1-1 The Ghostscript PostScript interpr
ii  libc6                    2.3.6.ds1-11    GNU C Library: Shared libraries

cups-pdf recommends no packages.

-- no debconf information

Message #57 received at 409356@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: klaumikli@gmx.de, 409356@bugs.debian.org

Subject: Re: Bug#409356: Bugfix in cups-pdf_2.4.2-2 makes cups-pdf unusable

Date: Mon, 19 Feb 2007 01:46:57 -0800

notfound 409356 2.4.2-2
close 409356 2.4.2-2
quit

On Mon, Feb 19, 2007 at 10:20:09AM +0100, Klaumi Klingsporn wrote:

> After the permission-change of /usr/lib/backend/cups-pdf in
> cups-pdf_2.4.2-2 there is no output in $Home/PDF anymore.
> The permissions have to be set to 104754 to get an output:

> ls -l /usr/lib/cups/backend/cups-pdf
> -rwsr-xr-- 1 root lp 23776 2007-02-14 18:33
> /usr/lib/cups/backend/cups-pdf

> I don't think that there is a security hole, because no unprivileged
> need to be in the group lp. On my system the execution of the initial
> mentioned command:

> "/usr/lib/cups/backend/cups-pdf shadow user title 1 '' /etc/shadow"

> by an unprivileged user only results in:

> "bash: /usr/lib/cups/backend/cups-pdf: Keine Berechtigung"

This is a bug in CUPS's goofy plugin security model, not a bug in cups-pdf.

It is any case a separate bug from this security bug; reclosing.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Send a report that this bug log contains spam.