Bug 864515 (CVE-2012-4510)

Summary: CVE-2012-4510 cups-pk-helper: Insecure wrapping of cupsGetFile() and cupsPutFile() methods
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, mkasik, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cups-pk-helper 0.2.3 Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the cupsGetFile() and cupsPutFile() functions of cups-pk-helper checked user IDs. If a local attacker performed a symbolic link attack, and was able to trick a CUPS administrator into approving the file transmission, the attacker could possibly use this flaw to access or modify certain system files, potentially leading to privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:59:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 865815    
Bug Blocks: 864521    
Attachments:
Description Flags
Relevant patch from Vincent Untz
none
Updated patch from Vincent Untz
none
Patch from Vincent Untz none

Description Jan Lieskovsky 2012-10-09 13:33:08 UTC 
A security flaw was found in the way wrapped file transmission routines (get / put a file from / to the CUPS server) of cups-pk-helper, an application which makes CUPS configuration interfaces available under control of PolicyKit, performed check of user ID prior performing the actual operation (get / put). If a local attacker performed a symbolic-link attack and was able to trick CUPS administrator into approving the file transmission, the adversary could use this flaw to obtain unauthorized access to certain system files or, possibly, modify / alter certain system files.

Acknowledgements:

Red Hat would like to thank Vincent Untz for reporting this issue.
Comment 2 Jan Lieskovsky 2012-10-09 13:36:20 UTC 
Created attachment 624105 [details]
Relevant patch from Vincent Untz
Comment 4 Jan Lieskovsky 2012-10-09 13:47:43 UTC 
This issue affects the version of the cups-pk-helper package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the cups-pk-helper package, as shipped with Fedora release of 16 and 17.
Comment 6 Jan Lieskovsky 2012-10-10 09:19:00 UTC 
Created attachment 624699 [details]
Updated patch from Vincent Untz
Comment 7 Tomas Hoger 2012-10-10 12:01:07 UTC 
Created attachment 624821 [details]
Patch from Vincent Untz

Corrected patch from upstream
Comment 8 Jan Lieskovsky 2012-10-10 12:35:07 UTC 
The CVE identifier of CVE-2012-4510 has been assigned to this issue.
Comment 9 Jan Lieskovsky 2012-10-12 13:51:02 UTC 
Public via:
http://www.openwall.com/lists/oss-security/2012/10/12/2
Comment 10 Jan Lieskovsky 2012-10-12 13:52:26 UTC 
Created cups-pk-helper tracking bugs for this issue

Affects: fedora-all [bug 865815]
Comment 12 Francisco Alonso 2015-03-11 12:41:54 UTC 
External reference:

(none)
Comment 13 Tomas Hoger 2015-03-25 16:11:40 UTC 
Upstream commit:

http://cgit.freedesktop.org/cups-pk-helper/commit/?id=6995d30816f0c76844dee4dc9022296a03258457