[]s, Fernando
--- Em qui, 17/1/13, Armin K. escreveu: > De: Armin K. > Assunto: Re: [blfs-dev] Cups security issue - /etc/cups/cups-files.conf needed > Para: "BLFS Development List" > Data: Quinta-feira, 17 de Janeiro de 2013, 12:17 > On 01/17/2013 03:36 PM, Fernando de > Oliveira wrote: >> Re: Message in Debian (reproduced below). >> >> See also: >> >> <https://security-tracker.debian.org/tracker/CVE-2012-5519> >> >> where there is this: >> >> "Name CVE-2012-5519 >> Description CUPS 1.4.4, when running >> in certain Linux distributions >> such as Debian GNU/Linux, stores the web interface >> administrator key in /var/run/cups/certs/0 using certain >> permissions, which allows local users in the lpadmin group >> to read or write arbitrary files as root by leveraging the >> web interface." >> >> I have: >> >> $ ls -l /var/run/cups/certs/0 >> -r--r----- 1 root lpadmin 32 Jan 17 08:01 >> /var/run/cups/certs/0 >> >> I only have read about it today. Gentoo, Debian, >> Mageia, Mandriva, Ubuntu, >> Red Hat (Fedora too?), all seem to be affected. >> >> Should we do anything about it? >> >> []s, >> Fernando >> >>>From root@vmwdebian Thu Jan 10 07:21:07 2013 >> Envelope-to: root@vmwdebian >> Delivery-date: Thu, 10 Jan 2013 07:21:07 -0300 >> Date: Thu, 10 Jan 2013 07:21:07 -0300 >> MIME-Version: 1.0 >> Content-Type: text/plain; charset="utf-8" >> Content-Transfer-Encoding: 7bit >> Subject: >> =?utf-8?q?apt-listchanges=3A_not=C3=ADcias_para_VMWDebian?= >> To: root@vmwdebian >> From: root <root@vmwdebian> >> >> cups (1.4.4-7+squeeze2) stable-security; urgency=high >> >> In order to mitigate a privilege >> escalation from the lpadmin to root >> (CVE-2012-5519), the /etc/cups/cupsd.conf >> configuration file is split >> in two configuration files: >> >> * /etc/cups/cupsd.conf can be edited by >> members of the lpadmin group >> through the cups web interface; >> * /etc/cups/cups-files.conf can only be >> edited by root; >> >> Many sensitive configuration statements >> can now only be set in >> cups-files.conf. No statements have been >> moved automatically. Please >> check the respective manpages. >> >> -- Didier Raboud <[email protected]> >> Sat, 29 Dec 2012 12:33:27 +0100 >> > > It appears that following patch fixes the issue: > > http://patch-tracker.debian.org/patch/series/dl/cups/1.6.1-1/Split-configuration-files-STR-4223.patch > > It's a bit big though and looks scary change to me. Can you > test it and > report any issues? Also, please create a bug on blfs bug > tracker for > this if that is not a problem for you. No problem. Thanks for the reply, Armin. I am willing to test it, but have some observations and questions, before. After what I have read, I am a little careful about the using that patch. So I tried reading a little more about the bug, and in the ticket for BLFS, suggested another one. However, could not understand if I should just apply the patch in a new of cups, or if the cups-files.conf shoud be copied from that source to the /et/cups directory. BTW, this is the contents of such directory in my "physical" LFS 7.1-svn machine: ]$ ls -l /etc/cups total 76 -rw------- 1 root lp 128 Nov 8 12:40 classes.conf -rw------- 1 root lp 128 Nov 8 10:29 classes.conf.O -rw-r--r-- 1 root root 35 Nov 9 10:17 client.conf -rw-r--r-- 1 root root 1077 Nov 9 10:34 command.types -rw-r----- 1 root lp 3101 Nov 8 13:18 cupsd.conf -rw-r----- 1 root lp 4538 Nov 9 10:17 cupsd.conf.default -rw-r----- 1 root lp 4538 Nov 9 10:17 cupsd.conf.N -rw-r----- 1 root lp 3102 Nov 8 12:58 cupsd.conf.O drwxr-xr-x 2 root lp 4096 Nov 1 22:36 interfaces drwxr-xr-x 2 root lp 4096 Nov 9 10:34 ppd -rw------- 1 root lp 576 Nov 9 10:35 printers.conf -rw------- 1 root lp 576 Nov 8 12:40 printers.conf.O -rw-r----- 1 root lp 278 Nov 1 22:36 snmp.conf -rw-r----- 1 root lp 278 Nov 9 10:17 snmp.conf.N drwx------ 2 root lp 4096 Nov 1 22:36 ssl -rw-r--r-- 1 root root 91 Nov 10 08:36 thnuclnt.convs -rw-r--r-- 1 root root 75 Nov 10 08:36 thnuclnt.types As I had a problem with cups, have modified it many times, including, deleting, changing owner/permissions. Are these good, or should I modify anything there? Thanks. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
