--- Em qui, 17/1/13, Fernando de Oliveira escreveu: > De: Fernando de Oliveira > Assunto: Re: [blfs-dev] Cups security issue - /etc/cups/cups-files.conf needed > Para: "BLFS Development List" > Data: Quinta-feira, 17 de Janeiro de 2013, 14:22
> --- Em qui, 17/1/13, Armin K. escreveu: > >> De: Armin K. >> Assunto: Re: [blfs-dev] Cups security issue - > /etc/cups/cups-files.conf needed >> Para: "BLFS Development List" >> Data: Quinta-feira, 17 de Janeiro de 2013, 12:17 >> On 01/17/2013 03:36 PM, Fernando de >> Oliveira wrote: >>> Re: Message in Debian (reproduced below). >>> >>> See also: >>> >>> <https://security-tracker.debian.org/tracker/CVE-2012-5519> >>> >>> where there is this: >>> >>> "Name CVE-2012-5519 >>> Description CUPS 1.4.4, when running >>> in certain Linux distributions >>> such as Debian GNU/Linux, stores the web interface >>> administrator key in /var/run/cups/certs/0 using > certain >>> permissions, which allows local users in the > lpadmin group >>> to read or write arbitrary files as root by > leveraging the >>> web interface." >>> >>> I have: >>> >>> $ ls -l /var/run/cups/certs/0 >>> -r--r----- 1 root lpadmin 32 Jan 17 08:01 >>> /var/run/cups/certs/0 >>> >>> I only have read about it today. Gentoo, Debian, >>> Mageia, Mandriva, Ubuntu, >>> Red Hat (Fedora too?), all seem to be affected. >>> >>> Should we do anything about it? >>> >>> []s, >>> Fernando >>> >>>>From root@vmwdebian Thu Jan 10 07:21:07 2013 >>> Envelope-to: root@vmwdebian >>> Delivery-date: Thu, 10 Jan 2013 07:21:07 -0300 >>> Date: Thu, 10 Jan 2013 07:21:07 -0300 >>> MIME-Version: 1.0 >>> Content-Type: text/plain; charset="utf-8" >>> Content-Transfer-Encoding: 7bit >>> Subject: >>> > =?utf-8?q?apt-listchanges=3A_not=C3=ADcias_para_VMWDebian?= >>> To: root@vmwdebian >>> From: root <root@vmwdebian> >>> >>> cups (1.4.4-7+squeeze2) stable-security; > urgency=high >>> >>> In order to mitigate a privilege >>> escalation from the lpadmin to root >>> (CVE-2012-5519), the > /etc/cups/cupsd.conf >>> configuration file is split >>> in two configuration files: >>> >>> * /etc/cups/cupsd.conf can be edited > by >>> members of the lpadmin group >>> through the cups web > interface; >>> * /etc/cups/cups-files.conf can only > be >>> edited by root; >>> >>> Many sensitive configuration > statements >>> can now only be set in >>> cups-files.conf. No statements have > been >>> moved automatically. Please >>> check the respective manpages. >>> >>> -- Didier Raboud <o...@debian.org> > >>> Sat, 29 Dec 2012 12:33:27 +0100 >>> >> >> It appears that following patch fixes the issue: >> >> http://patch-tracker.debian.org/patch/series/dl/cups/1.6.1-1/Split-configuration-files-STR-4223.patch >> >> It's a bit big though and looks scary change to me. Can Apologies, thought the patch you suggested was from cups, not Debian. Tried to apply the patch. Fails if applied after the other we use in BLFS. Reordered to be the first one applied. Build fails with message: make[1]: *** Sem regra para processar o alvo `cups-files.conf.5.gz', necessário por `all'. Pare. My free translation: make[1]: *** No rule to process the target `cups-files.conf.5.gz', necessary for `all'. Stop. This is apparently know from Debian: Bug#697543: Missing man page for cups-files.conf - Patch, at <http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1090952.html> Unfortunately, I cannot understand the patch in this URL, which is for /debian/cups.install Tried also the a while ago CVE-2012-5519.patch that I suggested, it as worse. []s, Fernando -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
