Bug 1051645 (CVE-2013-6891)

Summary: CVE-2013-6891 cups: lppasswd vulnerability allows data access to unprivileged user
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkurik, jpopelka, pfrields, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cups 1.7.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-10 19:28:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ratul Gupta 2014-01-10 18:40:43 UTC 
A vulnerability was reported in the setuid "lppasswd" binary from cups, which could allow an attacker to extract data from arbitrary files.

The issue is that to find out the name of the current user, systemv/lppasswd.c calls cupsUser() in the cups/usersys.c, which calls a function calls_cupsSetDefaults(), which is not designed to be used in setuid code. Later, when lppasswd has found out that the user does not have an entry in the password file, it shows an error message that leaks the username from the config. This means that an unprivileged user can use the lppasswd binary to extract data from arbitrary files as long as it appears to be a "user" configuration directive.

References:
http://www.cups.org/str.php?L4319

Patch:
http://www.cups.org/strfiles.php/3230/str4319.patch
Comment 2 Vincent Danen 2014-01-10 20:22:29 UTC 
The lppasswd binary has not had the suid bit set on it since Red Hat Enterprise Linux 4, so this flaw is not exploitable on any recent Fedora or Red Hat Enterprise Linux releases.


Statement:

Not vulnerable. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 5 and 6 as they did not ship with an suid-root lppasswd binary.