On 01/17/2013 03:36 PM, Fernando de Oliveira wrote: > Re: Message in Debian (reproduced below). > > See also: > > <https://security-tracker.debian.org/tracker/CVE-2012-5519> > > where there is this: > > "Name CVE-2012-5519 > Description CUPS 1.4.4, when running in certain Linux distributions > such as Debian GNU/Linux, stores the web interface administrator key in > /var/run/cups/certs/0 using certain permissions, which allows local users in > the lpadmin group to read or write arbitrary files as root by leveraging the > web interface." > > I have: > > $ ls -l /var/run/cups/certs/0 > -r--r----- 1 root lpadmin 32 Jan 17 08:01 /var/run/cups/certs/0 > > I only have read about it today. Gentoo, Debian, Mageia, Mandriva, Ubuntu, > Red Hat (Fedora too?), all seem to be affected. > > Should we do anything about it? > > []s, > Fernando > >>From root@vmwdebian Thu Jan 10 07:21:07 2013 > Envelope-to: root@vmwdebian > Delivery-date: Thu, 10 Jan 2013 07:21:07 -0300 > Date: Thu, 10 Jan 2013 07:21:07 -0300 > MIME-Version: 1.0 > Content-Type: text/plain; charset="utf-8" > Content-Transfer-Encoding: 7bit > Subject: =?utf-8?q?apt-listchanges=3A_not=C3=ADcias_para_VMWDebian?= > To: root@vmwdebian > From: root <root@vmwdebian> > > cups (1.4.4-7+squeeze2) stable-security; urgency=high > > In order to mitigate a privilege escalation from the lpadmin to root > (CVE-2012-5519), the /etc/cups/cupsd.conf configuration file is split > in two configuration files: > > * /etc/cups/cupsd.conf can be edited by members of the lpadmin group > through the cups web interface; > * /etc/cups/cups-files.conf can only be edited by root; > > Many sensitive configuration statements can now only be set in > cups-files.conf. No statements have been moved automatically. Please > check the respective manpages. > > -- Didier Raboud <o...@debian.org> Sat, 29 Dec 2012 12:33:27 +0100 >
It appears that following patch fixes the issue: http://patch-tracker.debian.org/patch/series/dl/cups/1.6.1-1/Split-configuration-files-STR-4223.patch It's a bit big though and looks scary change to me. Can you test it and report any issues? Also, please create a bug on blfs bug tracker for this if that is not a problem for you. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
