Bug 605397 (CVE-2010-2431)

Summary: CVE-2010-2431 cups: latent privilege escalation vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, jpopelka, jrusnack, twaugh, ykopkova
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,cvss2=3.2/AV:A/AC:H/Au:N/C:N/I:P/A:P,public=20100615,reported=20100616,source=internet,rhel-3/cups=affected,rhel-4/cups=notaffected,rhel-5/cups=affected,rhel-6/cups=affected,fedora-all/cups=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-29 03:36:56 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 604728, 605399, 646767, 646768    
Bug Blocks:    

Description Vincent Danen 2010-06-17 16:27:36 EDT
Quoting from the upstream bug report http://cups.org/str.php?L3510:

directory that is writable by unprivileged processes.

This is a latent privilege escalation vulnerability.  It can be
exploited only in the presence of other CUPS vulnerabilities.

Why this is privilege escalation

This is privilege escalation, because an unprivileged process can
trick the CUPS server into overwriting arbitrary files as root.


    drwxrwxr-x  4 root lp /var/cache/cups
    -rw-r-----  1 root lp /var/cache/cups/remote.cache

This file is opened with cupsFileOpen() which simply opens the file
with open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_LARGEFILE |
O_BINARY, 0666).

If a CUPS "external" program has a vulnerability, an attacker can
use the group=lp privileges to replace /var/cache/cups/remote.cache
with a symlink to a root-writable file. CUPS will then overwrite
that file as root. A similar latent vulnerability exists for the
state file /var/cache/cups/job.cache.

Why this is a latent vulnerability

This is a latent vulnerability, because there is no known exploit
for CUPS "external" programs that run as user=lp, group=lp.

The upstream fix looks more like a preventative fix as there does not seem to be anything exploitable here, so this looks like more a hardening than a response to an actual flaw.
Comment 2 Vincent Danen 2010-06-17 16:34:24 EDT
Created cups tracking bugs for this issue

Affects: fedora-all [bug 605399]
Comment 3 Fedora Update System 2010-06-18 07:03:24 EDT
cups-1.4.4-1.fc13 has been submitted as an update for Fedora 13.
Comment 4 Fedora Update System 2010-06-18 07:04:24 EDT
cups-1.4.4-1.fc12 has been submitted as an update for Fedora 12.
Comment 5 Fedora Update System 2010-06-18 07:05:00 EDT
cups-1.4.4-1.fc11 has been submitted as an update for Fedora 11.
Comment 6 Jan Lieskovsky 2010-06-23 06:33:32 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2431 to
this vulnerability:

The cupsFileOpen function in CUPS before 1.4.4 allows local users,
with lp group membership, to overwrite arbitrary files via a symlink
attack on the (1) /var/cache/cups/remote.cache or (2)
/var/cache/cups/job.cache file.

With references:
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2431
  [2] http://cups.org/articles.php?L596
  [3] http://cups.org/str.php?L3510
Comment 9 Fedora Update System 2010-06-24 08:22:33 EDT
cups-1.4.4-4.fc13 has been submitted as an update for Fedora 13.
Comment 10 Fedora Update System 2010-06-25 14:10:23 EDT
cups-1.4.4-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2010-07-01 14:44:22 EDT
cups-1.4.4-5.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-07-26 22:45:54 EDT
cups-1.4.4-5.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2010-10-28 21:44:15 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0811 https://rhn.redhat.com/errata/RHSA-2010-0811.html
Comment 17 Vincent Danen 2010-10-28 22:58:02 EDT

This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3 or 4.  It was addressed in Red Hat Enterprise Linux 5 via RHSA-2010:0811.