FYI, as a security fix for our stable releases in Ubuntu, we plan on disabling cupsd.conf modification in the web interface entirely. Attached is the patch we plan on using.
Marc.
Description: fix privilege escalation by disabling config file editing via the web interface Author: Marc Deslauriers <marc.deslauri...@canonical.com> Forwarded: No Bug: https://www.cups.org/str.php?L4223 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 Index: cups-1.6.1/doc/help/policies.html =================================================================== --- cups-1.6.1.orig/doc/help/policies.html 2012-11-27 09:16:17.608346696 -0500 +++ cups-1.6.1/doc/help/policies.html 2012-11-27 09:16:19.768346750 -0500 @@ -19,7 +19,7 @@ <P>Policies are stored in the <VAR>cupsd.conf</VAR> file in <A HREF="ref-cupsd-conf.html#Policy"><TT>Policy</TT></A> sections. Each policy has an alphanumeric name that is used to select it. Inside the policy section are one or more <A HREF="ref-cupsd-conf.html#LimitIPP"><TT>Limit</TT></A> subsections which list the operations that are affected by the rules inside it. <A HREF="#LISTING01">Listing 1</A> shows the default operation policy, appropriately called "default", that is shipped with CUPS.</P> -<P>The easiest way to add a policy to the <VAR>cupsd.conf</VAR> file is to use the web interface. Click on the <VAR>Administration</VAR> tab and then the <VAR>Edit Configuration File</VAR> button to edit the current <VAR>cupsd.conf</VAR> file. Click on the <VAR>Save Changes</VAR> button to save the changes and restart the scheduler. If you edit the <VAR>cupsd.conf</VAR> file from the console, make sure to <A HREF="ref-cupsd-conf.html">restart the cupsd process</A> before trying to use the new policy.</P> +<P>If you edit the <VAR>cupsd.conf</VAR> file from the console, make sure to <A HREF="ref-cupsd-conf.html">restart the cupsd process</A> before trying to use the new policy.</P> <PRE CLASS="example"> <EM>Listing 1: <A NAME="LISTING01">Default Operation Policy</A></EM> Index: cups-1.6.1/templates/admin.tmpl =================================================================== --- cups-1.6.1.orig/templates/admin.tmpl 2012-11-27 09:16:19.740346750 -0500 +++ cups-1.6.1/templates/admin.tmpl 2012-11-27 09:16:19.772346751 -0500 @@ -28,7 +28,6 @@ <H2 CLASS="title">Server</H2> <P> -<FORM ACTION="/admin/" METHOD="POST"><INPUT TYPE="HIDDEN" NAME="org.cups.sid" VALUE="{$org.cups.sid}"><INPUT TYPE="HIDDEN" NAME="OP" VALUE="config-server"><INPUT TYPE="SUBMIT" VALUE="Edit Configuration File"></FORM> <FORM ACTION="/admin/log/access_log" METHOD="GET"><INPUT TYPE="SUBMIT" VALUE="View Access Log"></FORM> <FORM ACTION="/admin/log/error_log" METHOD="GET"><INPUT TYPE="SUBMIT" VALUE="View Error Log"></FORM> <FORM ACTION="/admin/log/page_log" METHOD="GET"><INPUT TYPE="SUBMIT" VALUE="View Page Log"></FORM> Index: cups-1.6.1/cgi-bin/admin.c =================================================================== --- cups-1.6.1.orig/cgi-bin/admin.c 2012-11-27 09:16:19.744346750 -0500 +++ cups-1.6.1/cgi-bin/admin.c 2012-11-27 09:16:34.236347121 -0500 @@ -1880,6 +1880,7 @@ cgiEndHTML(); } +#if 0 /* Disabled to fix CVE-2012-5519 security issue */ else if (cgiGetVariable("SAVECHANGES") && cgiGetVariable("CUPSDCONF")) { /* @@ -2124,6 +2125,7 @@ cgiEndHTML(); } +#endif }