Bug#409356: cups-pdf: allows unprivileged user to read parts of any file

2007-02-02 Thread Grzegorz Żur 
Package: cups-pdf
Version: 2.4.2-1
Severity: critical
Justification: root security hole
Tags: security

Unprivileged user can execute /usr/lib/cups/backend/cups-pdf to read
parts of any file. End of file is printed by Ghostscript in error report.

Execution of this command as unprivileged user
  /usr/lib/cups/backend/cups-pdf shadow user title 1 '' /etc/shadow
will result in Ghostscript error showing last line of /etc/shadow file
(possibly containing password hash)
  ERROR: /undefined in saned:!:13511:0:9:7:::
  ...

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-albemuth
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)

Versions of packages cups-pdf depends on:
ii  cupsys   1.2.7-3 Common UNIX Printing
System(tm) -
ii  gs-esp   8.15.3.dfsg.1-1 The Ghostscript PostScript
interpr
ii  libc62.3.6.ds1-10GNU C Library: Shared libraries

cups-pdf recommends no packages.

-- no debconf information

-- 
Grzegorz Zur


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#409356: cups-pdf: allows unprivileged user to read parts of any file

2007-02-02 Thread Grzegorz Żur 
Volker Christian Behr wrote:
 I am the CUPS-PDF developer. Though I am not using Debian I am quite
 confused by this behaviour: CUPS-PDF is supposed to be mode 700 on CUPS
 v1.2.x environments (so unprivileged users should not even be able to
 execute it). Furthermore CUPS-PDF is explicitely not meant to be
 installed SUID 'root' (neither is ghostscript) - so how can those two
 programs access /etc/shadow at all?
 Please check the permissions of the CUPS-PDF backend and GS - neither
 should be SUID 'root' under any circumstances. CUPS-PDF should even more
 be mode 700 executable by 'root' only. If this is not the case in the
 default installation it has to be fixed in the Debian package.
 

You are right! It's only on Debian (and derivatives?) and that's why I
report it as Debian's bug, not directly to you. The problem is in
debian/postinst script. It executes:
  chmod 6755 /usr/lib/cups/backend/cups-pdf

-- 
Grzegorz Zur


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]