Bug 449746 (CVE-2008-1033)

Summary: CVE-2008-1033 cups: password disclosure via debug log
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1033
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-03 11:43:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-06-03 11:19:33 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1033 to the following vulnerability:

The scheduler in CUPS in Apple Mac OS X 10.5 before 10.5.3, when debug logging
is enabled and a printer requires a password, allows attackers to obtain
sensitive information (credentials) by reading the log data, related to
"authentication environment variables."

References:
http://lists.apple.com/archives/security-announce/2008/May/msg00001.html
http://xforce.iss.net/xforce/xfdb/42713
Comment 1 Tomas Hoger 2008-06-03 11:29:08 UTC 
This issue does not affect cups packages as shipped in Red Hat Enterprise Linux
3, 4 and 5.  Support for job authentication was only introduced in CUPS 1.3.x.
Comment 2 Tomas Hoger 2008-06-03 11:40:17 UTC 
Gory details:

SVN r6576 added code that exported authentication data to environment:

  r6576 | mike | 2007-06-20 02:23:32 +0200 (Wed, 20 Jun 2007) | 20 lines

  Add new AUTH_USERNAME, AUTH_DOMAIN, and AUTH_PASSWORD environment variables
  when printing a job.  This allows us to run the IPP backend as "lp" and will
  allow other backends to support proxy authentication without running as root.

  svn diff -c 6576 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

SVN r6579 added check to prevent leaking of authentication credentials to debug log.

  svn diff -c 6579 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

However, this check was accidentally broken in SVN r7233 which was supposed to
fix HP-UX compilation issues.  Correct check that prevented logging of
environment variables with names starting with 'AUTH_' was replaced with
incorrect check testing for 'CUPSD_AUTH_' prefix (CUPSD actually, as string
length was not fixed in the commit).

  http://cups.org/str.php?L2679
  svn diff -c 7233 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

Broken check was fixed again in SVN r7377:

  http://cups.org/str.php?L2751
  svn diff -c 7377 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

It seems that the incorrect check only appeared in the upstream version 1.3.6. 
Versions 1.3.5 and 1.3.7 have correct checks.
Comment 4 Tomas Hoger 2008-06-03 11:43:12 UTC 
Fedora is currently not affected by this issue.  F7 ships unaffected cups
1.2.12.  F8, F9 and Rawhide were already updated to a fixed upstream version 1.3.7.