Date: Sat, 10 Nov 2012 13:49:43 +0100 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Cc: 692791@...s.debian.org, team@...urity.debian.org, cups-security@...le.com Subject: Privilege escalation (lpadmin -> root) in cups Hi, a Debian user reported a bug in our BTS concerning cupsd. The bug is available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and upstream bug at http://www.cups.org/str.php?L4223 (restricted because it's tagged security). I'm unsure right now if it's an upstream issue or specific to Debian. Basically, members of the lpadmin group (which is the group having admin rights to cups, meaning they're supposed to be able to add/remove printeers etc.) have admin access to the web interface, where they can edit the config file and set some “dangerous” directives (like the log filenames), which enable them to read or write files as the user running the cupsd webserver. In Debian case at least, it's run as root, meaning we have a privilege escalation issue from lpadmin group to root. A fix would be to not run cupsd web server as root, and maybe to restrict it to some kind of chroot so it doesn't have access to sensitive files Can a CVE be allocated for this? Regards, -- Yves-Alexis [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ