Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
Scripsis, quam aut quem »Krzysztof Halasa« appellare soleo: > Horms <[EMAIL PROTECTED]> writes: > > >> Then log out and let root login (in a computer pool, you can usually get > >> an admin to log on as root on a console somehow). The next time he'll > >> press TAB to complete a file name, he instead will run the shell > >> command. > > Why doesn't the intruder just simulate login process (printing "login: " > and "Password:")? That's known and used for ages. > > The root user (and any other user) should press the SAK key before > attempting login. It should a) reset terminal to a sane state, > b) terminate and/or disconnect all processes from current tty. That does not help against the loadkeys issue if the attacking user is still logged in on another virtual console. Even when tty1 is active, a user owning tty6 can use loadkeys. Plus, the Linux SAK does not reset the keyboard mapping. And SAK does not reset the video mode, so when pressed on X, the terminal video mode is garbled until reboot (maybe it works fine with some framebuffer drivers, but with the stock VGA text console, it doesn't). X comes back up fine, but when pressing Ctrl-Alt-F1, X will restore the video mode it saw on startup - which is the mode of the previous X server the SAK has killed. > Alternatively, he/she should hw-reset/power-cycle the terminal, > if possible (say, with serial/X-terminal). Well, sometimes you have problems that powercycling would "hide" so you can't track them down if you powercycle the whole computer every time. > OTOH I don't know why ordinary users should be allowed to change key > bindings. For using foreign languages and keyboard mappings. But for that a suid wrapper around loadkeys would suffice - most distributions include more than enough keyboard mapping files already. > BTW: Not sure about Linux consoles, but in general ESCape sequences > can redefine key bindings as well. That's why SAK/reset is so important. If man console_codes is correct, they can't.
Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
Scripsis, quam aut quem »Krzysztof Halasa« appellare soleo: > Rudolf Polzer <[EMAIL PROTECTED]> writes: > > That does not help against the loadkeys issue if the attacking user is still > > logged in on another virtual console. Even when tty1 is active, a user > > owning > > tty6 can use loadkeys. > > Sure. The problem is that mappings are shared between VCs but anyway > it's solved by disabling user changes. > I don't think there is a solution here, easier than hardware reset. > As for "server" machines (not simple terminals), physical locking is > critical. Of course it is. However, pool computers like in this case are neither servers nor terminals. If they were terminals, we would need about 30 servers to handle the load of 100 active students. So they are workstation installations that do most of the work locally. > > Well, sometimes you have problems that powercycling would "hide" so you > > can't > > track them down if you powercycle the whole computer every time. > > In security-sensitive instalation, you simply don't expose the computers > to non-admins. Well, in this case the issue is on pool computers for students. Students SHOULD be able to access the computers, but not as root. Currently our workaround is "only su(do) from a ssh session on a 'trusted' computer". > > For using foreign languages and keyboard mappings. > > Hope they don't change the keys in the process. They HAVE to do that, this is the very point of switching the keyboard layout from German to US, to UK, to French or to whatever. > Anyway, most people don't need that nor they need suid-wrapper. Many people here need that, but it's ok for them if it works only in X11 (most of these users don't even know that text consoles exist). However, Xorg and XFree86 have about the same problem: you can remap Ctrl-Alt-Backspace. So it would be good if the SAK also worked there which would require it to set a "sane" video mode.
Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
Scripsis, quam aut quem »Krzysztof Halasa« appellare soleo: > Rudolf Polzer <[EMAIL PROTECTED]> writes: > > However, pool computers like in this case are neither servers nor > > terminals. If they were terminals, we would need about 30 servers to > > handle the load of 100 active students. So they are workstation > > installations that do most of the work locally. > > Ok. So they are exposed to known attacks with quite high probability. Which others? Are there other places that assume only trusted users can access the console? > >> Hope they don't change the keys in the process. > > > > They HAVE to do that, > > Well, I meant physical keys to match them to loaded keymaps :-) ;) > > However, Xorg and XFree86 have about the same problem: you can remap > > Ctrl-Alt-Backspace. So it would be good if the SAK also worked there which > > would require it to set a "sane" video mode. > > I assume that one can notice that Ctrl-Alt-Backspace doesn't work, > and stop there. Not if a malicious X program does "chvt 1; chvt 7" when Ctrl-Alt-Backspace is pressed. > I think SAK/X11 video mode issue is possible to fix, though. It would require a video driver that can actually reset the video mode. Framebuffer drivers usually can do that. For the standard VGA text mode, at least savetextmode/restoretextmode from svgalib don't work on the graphics cards I have.
Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
Scripsis, quam aut quem »Krzysztof Halasa« appellare soleo: > Rudolf Polzer <[EMAIL PROTECTED]> writes: > > >> Ok. So they are exposed to known attacks with quite high probability. > > > > Which others? Are there other places that assume only trusted users can > > access > > the console? > > Probably: BIOS booting, Locked. And these boards don't even have the wide-spread "boot from USB even if system boot up sequence states otherwise" bug. Probably just because they do not support booting from USB, though. > messing with computer cases (are the computers in locked room and only > kbds/monitors/mouses are accessible?), Not locked, but that would be an option - others would notice it if you did anything weird, however. > sniffing keyboard cables (all other passwords if not root's), That's the only thing that might actually work - an inductive device wrapped around the keyboard cable. But I've never seen those available ready to buy. > physical damage to the computer hardware (some kind of DoS). Not interesting. Well, once someone stole a mouse. A dirty old PS/2 mouse with a ball. Who would steal such a mouse? > Still, may be adequate for student room. Right, especially since people would not mess with the hardware. If there are 20 students in a room, would you really do something strange? For example, nobody even tries to watch porn in these rooms. > >> I assume that one can notice that Ctrl-Alt-Backspace doesn't work, > >> and stop there. > > > > Not if a malicious X program does "chvt 1; chvt 7" when Ctrl-Alt-Backspace > > is > > pressed. > > With correct timing, possibly. Depends on how the graphics driver starts > and switches from text mode. There might be noticeable differences. There might be a difference, yes - but there's also a difference in timing if the system has background load. So nothing to rely upon. Plus we have CRTs that just get black for some time with some clicking noise - and these CRTs need quite a long time to start showing a picture after changing the video mode. > > It would require a video driver that can actually reset the video mode. > > Framebuffer drivers usually can do that. For the standard VGA text mode, at > > least savetextmode/restoretextmode from svgalib don't work on the graphics > > cards I have. > > I think Xserver could terminate gracefully. But it would require changes > to kernel SAK handling I think - not sure if it's worth it, given other > threats. > > Another idea: if the machines are ACPI-enabled and have "soft-power" > buttons, one can make use of acpid. Yes, good idea, but we already are using it for soft reboot. If people start using the idea of remapping backspace so others can't kill their screen saver (and then keep logged on idle for days - a quite typical "DoS" here), the power button will most probably be remapped from "shutdown -r now" to "/etc/init.d/kdm restart". We usually don't want to kill some professor's pine (ugh, they want us to install it) in that case, but rebooting would do that too.
Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
Scripsis, quam aut quem »Krzysztof Halasa« appellare soleo: > Rudolf Polzer <[EMAIL PROTECTED]> writes: > > That's the only thing that might actually work - an inductive device wrapped > > around the keyboard cable. But I've never seen those available ready to buy. > > There are simpler designs - it's just a serial line, right? A simple > "dongle" can send data from the keyboard to a notebook. With luck two > wires would do (using parallel port for sampling data). We use a PS/2 port, so without a reboot, this would not work. IIRC 2.6 kernels with keyboard support compiled into the kernel cannot be forced to re-detect the keyboard when the line was interrupted (which is a big problem with old KVM switches). Of course, with USB keyboards this approach would work. And if it weren't for the typical nvidia driver problems, we wouldn't allow students to reboot the computers using the power button and let it restart the X server instead.
Bug#330602: irssi-text: also happens on unstable's latest irssi
Package: irssi-text Version: 0.8.9-3.1 Followup-For: Bug #330602 It also happens on unstable's latest irssi-text package and when loading ANY script - even an empty file or just typing "/script exec 1". -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.12-1-powerpc Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages irssi-text depends on: ii libc6 2.3.5-6GNU C Library: Shared libraries an ii libglib2.0-0 2.8.3-1The GLib library of C routines ii libncurses5 5.4-9 Shared libraries for terminal hand ii libperl5.85.8.7-5Shared Perl library ii libssl0.9.7 0.9.7g-3 SSL shared libraries ii perl 5.8.7-5Larry Wall's Practical Extraction ii perl-base [perlapi-5.8.7] 5.8.7-5The Pathologically Eclectic Rubbis irssi-text recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#334113: linux-image-2.6.12-1-powerpc: kernel allows loadkeys to be used by any user, allowing for local root compromise
Package: linux-image-2.6.12-1-powerpc Version: 2.6.12-10 Severity: critical Tags: security Justification: root security hole The non-suid command "loadkeys" can be used by any local user having console access. It does not just apply to the current virtual console but to all virtual consoles and its effect persists even after logout. A proof of concept would be (^V, ^C etc. refer to key presses on the console): loadkeys keycode 15 = F23 string F23 = "^V^C^V^Mecho hello world^V^M" ^D Then log out and let root login (in a computer pool, you can usually get an admin to log on as root on a console somehow). The next time he'll press TAB to complete a file name, he instead will run the shell command. Of course, the shell command could be more evil, e.g. add a line to /etc/passwd, clear the screen to make it less obvious, sync and write stuff to /dev/mem to cause a kernel crash so that most people would not suspect anything but a hardware fault. A demo exploit adding a line to the password file, clearing the screen and logging out exists in form of a shell script. As a solution, I propose that the loadkeys command (or more exactly, the kernel interface it uses) should be restricted to root and instead one could add a suid wrapper for loadkeys that only allows the system-wide keymaps to be loaded. The old behaviour could still be made selectable using a procfs file. If the last modification time of the manual page of loadkeys is true, this bug exists in the Linux kernel at least since 1997. However, the BUGS section of the manpage does not hint that the loadkeys command can even be used as a root compromise and not just for stuff like unbinding all keys. Plus, it might be good to have a way to disable chvt for non-root users. Using chvt, a malicious user could do the same thing in an X session: remap Backspace to another key, handle Ctrl-Alt-Backspace by chvt 1; chvt 7 (so the video mode switches) and showing a fake login manager on the X display. If chvt were not possible for mere mortals, the admin would be able to disable all possible video mode switching caused by X applications (like xrandr, xvidmode, dpms) in the xorg.conf file so that he finally knows: if Ctrl-Alt-Backspace caused video mode switching, the resulting login screen is genuine. Another solution would be a keymap-invariant non-remappable "zap" key combination with the functionality of Alt-SysRq-K - but on an X screen, it should tell the X server to exit instead of kill -9ing it so that the video mode gets restored. And it should be able to make a kernel support it without adding all of the other "Magic SysRq Key" features. Of course, it should lock the keymap until the user tells the system to unlock it again. Or, even better: a "root login key". That is, something unremappable that causes a new VT to be created with a login prompt for root - and while this VT is active, the keymap should be locked to the system-wide standard keymap. Ideally, that "root login key" should also work from X and maybe even when the X server has crashed. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.12-1-powerpc Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages linux-image-2.6.12-1-powerpc depends on: ii coreutils [fileutils] 5.2.1-2.1 The GNU core utilities ii initrd-tools 0.1.82 tools to create initrd image for p ii mkvmlinuz 15 create a kernel to boot a PowerPC ii module-init-tools 3.2-pre9-2 tools for managing Linux kernel mo linux-image-2.6.12-1-powerpc recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#646377: d0_blind_id version
Hi, as for the version of d0_blind_id: use the latest tagged version in the v1.0 form. The Xonotic-specific tags should not be needed there, as the only differences since xonotic-v0.7.0 affect only the standalone key generator tool which does not come with Xonotic anyway (it is the file crypto-keygen-standalone.c that comes with DarkPlaces). And in fact, the xonotic-v0.8.0 tag and the v1.0 tag in the repository are equivalent anyway. As for building the pk3 files from source: I highly advise against that, as the build process is very lengthy and involves non-free tools (which you can - at a quality loss - replace by free ones): - Textures are stored in tga form in git, but converted to S3TC using AMD Compressonator. An alternate free Debian-packaged tool would be the s2tc compressor, which can be told to use the S3TC libtxc_dxtn instead if you want. This will however mean a quality loss. Logic for which files should be compressed at all is in xonotic.git misc/tools/cached_converter.sh and misc/tools/all/release.subr (our master build script). The cached_converter already can be told to use the s2tc binary, and you can use e.g. LD_PRELOAD to force it to use the S3TC libtxc_dxtn. This whole process, from zero, will take about 6 hours. Please, absolutely, do NOT ship a version of Xonotic by default that doesn't use compressed textures, as this means a HUGE slowdown in startup/loading times which users find really annoying! - QuakeC code is built using gmqcc. You can mostly assume that using a recent gmqcc build should do, as long as the code compiles. If you're paranoid, use our integration test "./all serverbench" from our repository, which runs a pre-defined botmatch with fixed random number generator and no timing influence; to verify it, it outputs a checksum of the server log. This should stay the same across gmqcc changes. - Maps are compiled with q3map2. Command-line flags for it are stored in two places: misc/tools/xonotic-map-compiler contains the "default" flags we use when nothing else is specified. You can adapt this to your build process, use it as is, or just copy the default flags from there. data/xonotic-maps.pk3dir/maps/mapname.map.options contains the non-default options. Essentially, any line starting with - is used as command line options passed to misc/tools/xonotic-map-compiler. Also, misc/tools/xonotic-map-compiler-optionsfile parses the options file and runs xonotic-map-compiler for convenience. This is actually what our map build service is using, which we insist on to ensure well-documented and repeatable map builds. - I strongly advise against recompiling the maps with q3map2. First of all, it really must be the NetRadiant fork of q3map2, as we have features and bug fixes there not in any other q3map2 (the fork is a sad story and was created because id software, owning q3map2 at the time, refused patches to clear bug fixes that strongly affected us in Nexuiz - now the situation is better, but it diverged too much from ZeroRadiant's q3map2 that there's little hope of ever unifying them, unless someone can skip their full-time job for a few months). But more importantly, q3map2's light pass is one of the most inefficient raytracers I have ever seen, and will take about 2 days for all our maps together. I really don't think you want to put up with that compile time. After all this, I'd really prefer if you didn't recompile the pk3 files. The only part that is easily servicable and also patch-worthy is the QuakeC code, which I'd be fine with if you patched/recompiled it and replaced the progs.dat/csprogs.dat/menu.dat files generated by its compilation in our xonotic-data pk3 file. Best regards, Rudolf Polzer
Bug#873316: mawk's hical example has Y2K bug
Package: mawk Version: 1.3.3-17 Severity: minor Dear Maintainer, What led up to the situation? Discovered the issue when searching Debian Code Search for "19%y". * What exactly did you do (or not do) that was effective (or ineffective)? sh /usr/share/doc/mawk/examples/hical * What was the outcome of this action? Current year shown as 1917 * What outcome did you expect instead? Current year shown as 2017 Fix suggestion 1: change 19%y to %Y in the script. Fix suggestion 2: take the fixed version from upstream mawk 1.3.4. The script has also some more bugs fixed upstream since - its shebang points at /usr/sh which does not exist, and the echo command needs an extra -e or the output will contain literal \n instead of line feeds. All this is fixed upstream. The issue is still present on sid, 1.3.3-17. -- System Information: Debian Release: 8.9 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages mawk depends on: ii libc6 2.19-18+deb8u10 mawk recommends no packages. mawk suggests no packages. -- no debconf information
Bug#869824: missing package
Package: linux-headers-amd64 Version: 4.11.0-2-amd64 this package is missing
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
Package: printer-driver-cups-pdf Version: 3.0.1-4 Severity: grave Justification: renders package unusable -- System Information: Debian Release: buster/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages printer-driver-cups-pdf depends on: ii cups2.2.6-4 ii cups-client 2.2.6-4 ii ghostscript 9.22~dfsg-1 ii libc6 2.25-6 ii libcups22.2.6-4 ii libpaper-utils 1.1.24+nmu5 printer-driver-cups-pdf recommends no packages. Versions of packages printer-driver-cups-pdf suggests: pn system-config-printer -- no debconf information Bug description: The cups pdf printer produces no pdf output file. After deleting the pdf printer, the add printer function does not work as expected: After selecting "Generic" as printer make, no pdf printer model is selectable. I instead selected one of the existing ppd files in /usr/share/ppd/cups-pdf but this did not make the pdf printer work. The bug started by my recent update from cups-pdf, where pdf printing did work, to printer-driver-cups-pdf.
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
You are right - the cups pdf printer is now working. I changed the pdf output directory a long time ago before using Apparmor, but now Apparmor needs to allow rw access to this directory. So I updated /etc/apparmor.d/usr.sbin.cupsd and the pdf printing works. The config problem remains unsolved. Rudolf Polzer
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
>> So I updated /etc/apparmor.d/usr.sbin.cupsd
>> and the pdf printing works.
>
> With what did you update it?
>
In /etc/apparmor.d/usr.sbin.cupsd, below the line
/usr/lib/cups/backend/cups-pdf {
I added the line
capability mknod,
and I changed two lines from
@{HOME}/PDF/ rw,
@{HOME}/PDF/* rw,
to
@{HOME}/my_pdf_directory/ rw,
@{HOME}/my_pdf_directory/* rw,
>> The config problem remains unsolved.
>
> Can you reproduce this problem?
>
Yes - every time I delete the cups pdf printer and try to add a new
virtual pdf printer, I can select the printer make (Generic) but in the
next step I cannot select a pdf printer type - I have to select the
appropriate ppd file and I have to know where it is.
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
/usr/sbin/lpinfo -m | grep ^lsb returns nothing here. I used /usr/share/ppd/cups-pdf/CUPS-PDF_opt.ppd The other file there (noopt instead of opt) works as well.
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
> /usr/share/ppd/ should contain at least cups-pdf, cupsfilters and custom > directories. The cupsfilters directory should have six files in it. If > you do 'lpinfo -m | less' and search for any of these files, do you find > them? (Check, as root, that the timestamp of /var/cache/cups/ppds.dat has > changed after using lpinfo). #lpinfo -m | less does not contain any pdf or PDF and does not change the timestamp of /var/cache/cups/ppds.dat
Bug#911996: libqt5serialport5 version in Debian stable is wrong
Package: libqt5serialport5 Version: 5.7.1 is available, 5.9.x is missing I run Debian stable and need libqt5serialport5 version 5.9 instead of 5.7 - other parts of Debian stable do not accept qt5 version lower than 5.9
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
Here, #lpinfo -m | grep -E "PDF|pdf" returns nothing. #lpinfo -m returns none of the files from /usr/share/ppd/cupsfilters This is my /etc/apt/sources.list, I am updating three or four times a year: deb http://ftp.uni-erlangen.de/debian/ stretch main deb-src http://ftp.uni-erlangen.de/debian/ stretch main deb http://ftp.uni-erlangen.de/debian/ stable main deb-src http://ftp.uni-erlangen.de/debian/ stable main deb http://security.debian.org/ stable/updates main deb-src http://security.debian.org/ stable/updates main deb http://security.debian.org/ stretch/updates main deb-src http://security.debian.org/ stretch/updates main deb http://ftp.uni-erlangen.de/debian/ stretch-updates main deb-src http://ftp.uni-erlangen.de/debian/ stretch-updates main deb http://dl.bintray.com/tvheadend/ubuntu stable main # I need this line for scilab: deb http://ftp.uni-erlangen.de/debian/ sid main
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
> 1. Please do > >cp /usr/share/ppd/cups-pdf/CUPS-PDF_noopt.ppd > /usr/share/ppd/custom/test.ppd > >(test.ppd can be deleted later on). > > 2. Activate debug logging as described at > > > https://wiki.debian.org/DissectingandDebuggingtheCUPSPrintingSystem#The_CUPS_Error_Log > >Empty the error_log and (as root) do 'lpinfo -m'. Attach the log >to your next mail sent here. > >(You might have to restart cups after using cupsctl. > 'systemctl restart cups'). > > 3. Check whether ppds.dat has changed. #lpinfo -m returned lpinfo: Ungültiger Dateideskriptor (invalid file descriptor) and /var/log/cups/error_log remains empty. Date and size of /var/cache/cups/ppds.dat did not change.
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
same as before, /var/log/cups/error_log is empty
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
> The cupsctl command should show "_debug_logging=1". Before, I used cupsctl --debug-logging which returned no errors - now I retried with cupsctl LogLevel=debug1 and this finally gives an error_log: E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-310sc.cts\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-300cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-3160cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-216x-600x600cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-600-600x600cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-216xcms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-3160cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-610cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-500cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-610-1200x600cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-500cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-620sc.cts\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-600-1200x1200cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-6220sc.cts\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-510cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-600-1200x1200cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-3170sc.cts\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-600cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-300cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-300-1200x1200cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-610-1200x1200cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-310-600x600cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-610-600x600cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-600-600x600cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-216x-1200x600cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-600-1200x600cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-610sc.cts\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-3160-600x600cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-510cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-300-600x600cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-3160-1200x1200cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-3170cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-3160-1200x600cms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-660sc.cts\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLP-310cms2\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-216xcms\"! E [08/Jan/2018:14:31:48 +0100] [cups-driverd] Bad driver information file \"/usr/share/cups/model/samsung/cms/CLX-3160-1200x600cms2\"! E [08/Jan
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
#cupsctl LogLevel=debug #systemctl restart cups #>/var/log/cups/error_log #lpinfo -m then /var/log/cups/error_log contains I [08/Jan/2018:16:41:25 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:26 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:27 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:28 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:29 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:30 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:31 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:32 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:33 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:34 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:35 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:36 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:37 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:38 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:39 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:40 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:41 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:42 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:43 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:44 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:45 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:46 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:47 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:48 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:49 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:50 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:51 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:52 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:53 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:54 +0100] Expiring subscriptions... D [08/Jan/2018:16:41:54 +0100] Report: clients=2 D [08/Jan/2018:16:41:54 +0100] Report: jobs=499 D [08/Jan/2018:16:41:54 +0100] Report: jobs-active=0 D [08/Jan/2018:16:41:54 +0100] Report: printers=3 D [08/Jan/2018:16:41:54 +0100] Report: stringpool-string-count=5341 D [08/Jan/2018:16:41:54 +0100] Report: stringpool-alloc-bytes=14520 D [08/Jan/2018:16:41:54 +0100] Report: stringpool-total-bytes=99544 I [08/Jan/2018:16:41:55 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:56 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:57 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:58 +0100] Expiring subscriptions... I [08/Jan/2018:16:41:59 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:00 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:01 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:02 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:03 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:04 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:05 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:06 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:07 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:08 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:09 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:10 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:11 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:12 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:13 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:14 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:15 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:16 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:17 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:18 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:19 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:20 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:21 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:22 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:23 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:24 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:25 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:26 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:27 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:28 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:29 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:30 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:31 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:32 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:33 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:34 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:35 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:36 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:37 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:38 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:39 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:40 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:41 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:42 +0100] Expiring subscriptions... I [08/Jan/2018:16:42:43
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
the result is a bit lengthy, you can download it from http://i-r-p.de/tmp/error_log.txt
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
> Post the output of 'ls -l /usr/share/ppd' and say from where you got the > package containing the samsung files. ls -l /usr/share/ppd returns drwxr-xr-x 2 root root 4096 Jan 2 13:13 cupsfilters drwxr-xr-x 2 root root 4096 Jan 3 10:26 cups-pdf drwxrwsr-t 2 root lpadmin 4096 Jan 8 12:22 custom -rwxr-xr-x 1 root root10134 Apr 24 2015 MFC7360N.ppd lrwxrwxrwx 1 root root 29 Feb 23 2016 samsung -> /usr/share/cups/model/samsung Years ago, I downloaded a linux driver for my Samsung CLP 315 printer directly from Samsung, for I had not found it in Debian. This is my main printer.
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
I deleted the symlink. Now, # lpinfo -m | grep ^lsb returns lsb/usr/cupsfilters/Fuji_Xerox-DocuPrint_CM305_df-PDF.ppd Fuji Xerox lsb/usr/MFC7360N.ppd Brother MFC7360N for CUPS lsb/usr/cups-pdf/CUPS-PDF_noopt.ppd Generic CUPS-PDF Printer (no options) lsb/usr/cups-pdf/CUPS-PDF_opt.ppd Generic CUPS-PDF Printer (w/ options) lsb/usr/cupsfilters/Generic-PDF_Printer-PDF.ppd Generic PDF Printer lsb/usr/cupsfilters/HP-Color_LaserJet_CM3530_MFP-PDF.ppd HP Color LaserJet CM3530 MFP PDF lsb/usr/cupsfilters/pxlcolor.ppd HP Color LaserJet Series PCL 6 CUPS lsb/usr/cupsfilters/pxlmono.ppd HP LaserJet Series PCL 6 CUPS lsb/usr/cupsfilters/Ricoh-PDF_Printer-PDF.ppd Ricoh PDF Printer
Bug#886224: printer-driver-cups-pdf: Virtual pdf printer error: no output and config problem
Hi Brian, thank you very much for your assistance. Rudolf
Bug#940578: fixed in cups 2.3.0-6
Hello Intrigeri,
no, this is not included in /etc/apparmor.d/usr.sbin.cupsd.
Regards,
Rudolf Polzer
Am 11.12.19 um 07:50 schrieb intrigeri:
Does your /etc/apparmor.d/usr.sbin.cupsd end with these lines:
# allow read and write on almost anything in @{HOME} (lenient, but
# private-files-strict is in effect), to support customized "Out"
# setting in cups-pdf.conf (Debian#940578)
#include
@{HOME}/[^.]*/{,**/} rw,
@{HOME}/[^.]*/** rw,
}
?
Bug#940578: fixed in cups 2.3.0-6
For me it is still not working, because I changed
/etc/cups/cups-pdf.conf
from
Out ${HOME}/Transport
to
Out ${HOME}
and get the error message
audit[5146]: AVC apparmor="DENIED" operation="mknod"
profile="/usr/lib/cups/backend/cups-pdf" name="/home/rudi/home_rudi.pdf"
pid=5146 comm="gs" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Bug#940578: fixed in cups 2.3.0-6
Hi intrigeri, please make a suggestion how I should now proceed to get pdf printing running on my stable Debian, because selecting a subdirectory of home doesn't work - I get the same error message as before. Regards, Rudolf
Bug#940578: printer-driver-cups-pdf: cups pdf printer cannot create pdf file
Package: printer-driver-cups-pdf
Version: 3.0.1-5
Severity: normal
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages printer-driver-cups-pdf depends on:
ii cups2.2.10-6
ii cups-client 2.2.10-6
ii ghostscript 9.27~dfsg-2
ii libc6 2.28-10
ii libcups22.2.10-6
ii libpaper-utils 1.1.28
printer-driver-cups-pdf recommends no packages.
Versions of packages printer-driver-cups-pdf suggests:
pn system-config-printer
-- Configuration Files:
/etc/cups/cups-pdf.conf changed:
Out ${HOME}/Transport
Grp lpadmin
DecodeHexStrings 1
-- no debconf information
-- audit error message:
audit[11578]: AVC apparmor="DENIED" operation="mknod"
profile="/usr/lib/cups/backend/cups-pdf"
name="/home/rudi/Transport/home_rudi_Transport.pdf" pid=11578 comm="gs"
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Bug#933879: cups: Samsung CLP315 fails after update from Stretch to Buster
Subject: cups: Samsung CLP315 fails after update from Stretch to Buster Package: cups Version: 2.2.10-6 Severity: normal -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cups depends on: ii cups-client2.2.10-6 ii cups-common2.2.10-6 ii cups-core-drivers 2.2.10-6 ii cups-daemon2.2.10-6 ii cups-filters 1.21.6-5 ii cups-ppdc 2.2.10-6 ii cups-server-common 2.2.10-6 ii debconf [debconf-2.0] 1.5.71 ii ghostscript9.27~dfsg-2 ii libavahi-client3 0.7-4+b1 ii libavahi-common3 0.7-4+b1 ii libc6 2.28-10 ii libcups2 2.2.10-6 ii libcupsimage2 2.2.10-6 ii libgcc11:8.3.0-6 ii libstdc++6 8.3.0-6 ii libusb-1.0-0 2:1.0.22-2 ii poppler-utils 0.71.0-5 ii procps 2:3.3.15-2 Versions of packages cups recommends: ii avahi-daemon 0.7-4+b1 ii colord 1.4.3-4 ii cups-filters [ghostscript-cups] 1.21.6-5 ii printer-driver-gutenprint5.3.1-7 Versions of packages cups suggests: ii cups-bsd 2.2.10-6 pn foomatic-db-compressed-ppds | foomatic-db pn hplip ii printer-driver-cups-pdf [cups-pdf] 3.0.1-5 pn printer-driver-hpcups ii smbclient 2:4.9.5+dfsg-5 ii udev 241-5 -- Configuration Files: /etc/default/cups changed: -- debconf information: cupsys/backend: lpd, socket, usb, snmp, dnssd cupsys/raw-print: true The printer worked with Stretch. With Buster, the printer prints the following text for any printed page: SPL-C ERROR - please use the proper driver POSITION : 0x0 (0) SYSTEM : src/xl_image LINE : 606 VERSION : SPL-C 5.35 11-20-2007 I have already tried within the cups web interface to change the printer setup and tried to delete the printer and then reassign connection and ppd file - but that did not make any change. Regards Rudolf
Bug#933879: cups: Samsung CLP315 fails after update from Stretch to Buster
Which driver package are you using? I am not sure what you mean by driver package. In the cups web interface, I select - USB connection - Samsung - Samsung CL-310 Series (SPL-C) (en) Regards, Rudolf
Bug#933879: cups: Samsung CLP315 fails after update from Stretch to Buster
Try the printer-driver-foo2zjs package. This works - the printer is running again. Thank you, Brian! Rudolf
Bug#998661: installation-reports: Successful install on Acer Switch V 10 (SW5-017P)
Package: installation-reports Severity: normal X-Debbugs-Cc: divver...@gmail.com Boot method: USB Image version: firmware-testing-amd64-netinst.iso Date: 2021-10-10 Machine: Acer Switch V 10 (SW5-017P) Partitions: Number Start End SizeFile system Name Flags 1 1049kB 538MB 537MB fat32 boot, esp 2 538MB 1050MB 512MB ext2 boot 3 1050MB 62.5GB 61.5GB crypt Base System Installation Checklist: [O] = OK, [E] = Error (please elaborate below), [ ] = didn't try it Initial boot: [X] Detect network card:[X] (needed firmware-iwlwifi) Configure network: [X] Detect media: [X] Load installer modules: [X] Clock/timezone setup: [X] User/password setup:[X] Detect hard drives: [X] Partition hard drives: [X] Install base system:[X] Install tasks: [X] Install boot loader:[E] Overall install:[X] Comments/Problems: Primary problem was that the installed system did not boot. This is a known problem of some Acer UEFI firmwares, which have hardcoded the path where Windows puts its boot loader and instead ignore the EFI variables. To fix this, I had to move all .efi and .CSV files from /target/boot/efi/EFI/debian to /target/boot/efi/EFI/Microsoft/Boot and rename shimx64.efi to bootmgfw.efi. This can be done in the final stage of the installer right before the reboot. See https://hansdegoede.livejournal.com/24132.html
