MITRE has assigned the in6addr_any issue CVE-2015-6520:
http://www.openwall.com/lists/oss-security/2015/08/18/11
Thanks
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-6520
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
You got it! Thanks Seth and Till!
** Changed in: ippusbxd (Ubuntu)
Status: In Progress = Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455644
Title:
[MIR] ippusbxd
To
Override component to main
ippusbxd 1.21.2-1 in wily: universe/misc - main
ippusbxd 1.21.2-1 in wily amd64: universe/comm/extra/100% - main
ippusbxd 1.21.2-1 in wily arm64: universe/comm/extra/100% - main
ippusbxd 1.21.2-1 in wily armhf: universe/comm/extra/100% - main
ippusbxd 1.21.2-1 in wily
Subscription created for Ubuntu Printing Team.
** Changed in: ippusbxd (Ubuntu)
Status: Incomplete = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455644
Title:
[MIR] ippusbxd
Packaging wise, things look fine. But it does need a team bug
subscriber.
** Changed in: ippusbxd (Ubuntu)
Status: In Progress = Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
OK, fine from my side then. Seth, was that ACK for the version in wily
as-is or did you want to only promote this once the fixes you've
discussed here landed?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Michael, ACK now please, the other fixes can come whenever it is
convenient for Till to work on them. Thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455644
Title:
[MIR] ippusbxd
To manage
Till, this looks great, confirmed that the -N variant listens on
loopback for both ipv4 and ipv6. Very nice, thanks.
I am concerned to see a timeout on the select() statement; select_tut(2)
strongly recommends writing code in a way that does not use the timeout:
1. You should always try
Seth, thanks for the hint. It works actually the same way without
timeout and loop, making the code simpler.
I have uploaded this upstream as
https://github.com/tillkamppeter/ippusbxd/commit/a632841f8e65d402e13e81921515f5a1e2736c82
Do I need to add this to Wily's cups-filters for you to text,
Thanks Till, I've requested a CVE from MITRE:
http://www.openwall.com/lists/oss-security/2015/08/11/1
Please include the CVE number in changelogs and announcements if one is
available in time.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
I reviewed ippusbxd version 1.21.2-1 as checked into wily; this shouldn't
be considered a full security audit but rather a quick gauge of
maintainability.
- ippusbxd implements the usb-ipp standardized printer bridge;
udev rules start the daemon when a supported printer is plugged in,
Till, please update the wily packaging and upstream releases as soon as
convenient. Include the CVE if you can.
A note for the security team once the CVE comes through, ippusbxd is
packaged in cups-filters in vivid, which is in main, and will also need
to be updated. Double-check that it's been
Note that all software to start and stop the daemon with the correct
options, and to create CUPS queues for the IPP-over-USB printers is in
the system-config-printer-udev package.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I have now modified ippusbxd in the upstream GIT repository to listen on
both IPv4 and IPv6 sockets using the select() function to watch both. On
each socket I restrict to localhost in the proper way. I have tested
that with
wget 'http://localhost:6/'
wget 'http://[::1]:6/'
wget 'Any
Here is the upstream fix on Github:
https://github.com/tillkamppeter/ippusbxd/commit/46844402bca7a38fc224483ba6f0a93c4613203f
** Changed in: ippusbxd (Ubuntu)
Status: New = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
I did also a check with a printer (without -N option) now and the
restriction works there, too.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455644
Title:
[MIR] ippusbxd
To manage notifications
Thanks for adding the -N option, it's very handy to test the networking
portion.
You're right, in6addr_loopback isn't going to work -- it is then only
listening on ::1:6 and connections to 127.0.0.1:6 don't work.
I think this is going to take a more complicated fix, one of these
options
Hi Till - Any luck with gathering the netstat output to verify that it
is only listening to ipv6 localhost?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455644
Title:
[MIR] ippusbxd
To manage
I have also tried to replace in6addr_any by in6addr_loopback, but with
this I cannot even access via localhost:6. With in6addr_any I can
access also from my virtual machine, through the hosts IP (like
http://192.168.122.204).
--
You received this bug notification because you are a member of
I have added said printer=less debugging mode to ippusbxd now. Please
update to cups-filters-ippusbxd_1.0.71-1ubuntu3 and run
ippusbxd -d -N -P 6
Then you can access with a web brower, using the URL
http://localhost:6/
This way the TCP/IP interface of ippusbxd is available for any kind
I will look into adding a mode for printer-less debugging, for example
simply letting it show a simple HTML page when calling its URL with a
browser.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The printer access is bound to localhost:port, so one can only access
locally, not through the network. As print queues are system-wide and
not per-user any local user can access to normal USB printers (using
classic USB protocol with usb or hp CUPS backend). So using IPP-
over-USB does not add
Till, could you please double-check this? The code sure looks like it
binds to the ipv6 wildcard address:
struct sockaddr_in6 addr;
memset(addr, 0, sizeof addr);
addr.sin6_family = AF_INET6;
addr.sin6_port = htons(port);
addr.sin6_addr = in6addr_any;
Till, this binds to in6addr_any and has no access controls to determine
who might be able to use the printer; is this intentional?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455644
Title:
** Changed in: ippusbxd (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) = Seth Arnold
(seth-arnold)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455644
Title:
[MIR] ippusbxd
To
** Changed in: ippusbxd (Ubuntu)
Importance: Undecided = High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455644
Title:
[MIR] ippusbxd
To manage notifications about this bug go to:
** Changed in: ippusbxd (Ubuntu)
Assignee: Jamie Strandboge (jdstrand) = Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455644
Title:
[MIR] ippusbxd
To
** Changed in: ippusbxd (Ubuntu)
Assignee: (unassigned) = Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455644
Title:
[MIR] ippusbxd
To manage notifications about
28 matches
Mail list logo
