Bug 2290318 (CVE-2024-35235)

Summary: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmason, jorton, pzacik, security-response-team, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: CUPS 2.4.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the cupsd server. When starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Since cupsd is often running as root, this issue can result in the change of permission of any user or system files to be world writable.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2291341, 2291342    
Bug Blocks: 2290319    

Description Avinash Hanwate 2024-06-04 02:55:31 UTC 
When starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target.

When setting up the bind for unix sockets configured in the Listen parameters of the configuration file, the code does not check for a successful call to unlink and bind prior to performing the call to chmod. A sufficiently fast attacker could place a symbolic link at the configured location after the call to unlink, causing the bind to fail once again and performing a successful chmod.
Comment 4 Mauro Matteo Cascella 2024-06-11 15:44:33 UTC 
Created cups tracking bugs for this issue:

Affects: fedora-39 [bug 2291341]
Affects: fedora-40 [bug 2291342]
Comment 5 errata-xmlrpc 2024-07-02 15:26:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4265 https://access.redhat.com/errata/RHSA-2024:4265
Comment 6 errata-xmlrpc 2024-07-16 18:55:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:4580 https://access.redhat.com/errata/RHSA-2024:4580
Comment 7 errata-xmlrpc 2024-07-23 08:41:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:4715 https://access.redhat.com/errata/RHSA-2024:4715
Comment 8 errata-xmlrpc 2024-07-23 16:24:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4776 https://access.redhat.com/errata/RHSA-2024:4776
Comment 9 errata-xmlrpc 2024-08-20 16:08:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5644 https://access.redhat.com/errata/RHSA-2024:5644