Bug 875898 (CVE-2012-5519)
| Summary: | CVE-2012-5519 cups: privilege escalation for users of the CUPS SystemGroup group | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | jpopelka, jrusnack, psklenar, rcvalle, twaugh | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-02-28 19:21:02 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 875907, 876224, 876225, 876226, 876228, 885625 | ||||||
| Bug Blocks: | 875906 | ||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2012-11-12 19:25:21 UTC
This issue affects the versions of the cups package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the cups package, as shipped with Fedora release of 16 and 17. Please schedule an update (once final upstream patch available). The CVE identifier of CVE-2012-5519 has been assigned to this issue: [4] http://www.openwall.com/lists/oss-security/2012/11/11/2 Created attachment 643673 [details] Local copy of the reproducer from relevant Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791#10 Created cups tracking bugs for this issue Affects: fedora-all [bug 875907] *** Bug 875897 has been marked as a duplicate of this bug. *** This flaw was addressed upstream by moving configuration directives for setting file, directory, user, and group parameters into a separate configuration file /etc/cups/cups-files.conf. Only cupsd.conf configuration file could be modified remotely using CUPS web interface. Changes to the cups-files.conf file can only be done locally (i.e. they require root privileges). The following directives have been moved to the new configuration file (cups-files.conf): AccessLog, BrowseLDAPCACertFile, CacheDir, ConfigFilePerm, DataDir, DocumentRoot, ErrorLog, FatalErrors, FileDevice, FontPath, Group, LogFilePerm, LPDConfigFile, PageLog, Printcap, PrintcapFormat, PrintcapGUI, RemoteRoot, RequestRoot, ServerBin, ServerCertificate, ServerKey, ServerRoot, SMBConfigFile, StateDir, SystemGroup, SystemGroupAuthKey, TempDir, User There are two factors which are needed for successful exploitation of this flaw. 1. This flaw can only be exploit by a local user that is member of one of the groups specified in cupsd.conf using SystemGroup configuration directive. For Red Hat Enterprise Linux 5 and 6, default groups in the SystemGroup are 'sys' and 'root'. 2. SELinux mitigates impact of the attack, limiting which read or written by the attacker. Statement: This issue affects the version of cups as shipped with Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. cups-1.5.4-20.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. The fix for this issue added to Red Hat Enterprise Linux 5 and 6 uses different approach to the one used by upstream and described in comment 17. It introduces a new configuration directive called "ConfigurationChangeRestriction" in the cupsd.conf configuration file. This directive tells cuspd whether it should allow changing certain other configuration directives via its web interface. Restricted configuration directives are the same that were moved to cups-file.conf configuration file upstream (see comment 17 for the list). ConfigurationChangeRestriction directive takes the following values: 1. "all" : This is the default value. This option prevents all the users (both root user and members of one of the SystemGroup groups) from making any changes to the protected directives remotely via the cups web interface. root user can still make changes locally by editing cupsd.conf configuration file directly. 2. "root-only" : Only root is allowed to make changes to the protected directives. SystemGroup groups members are not allowed to change them. 3. "none" : Users in the SystemGroup groups and root can make changes to the above keywords remotely using the cups web interface. Note that Red Hat Enterprise Linux 6 includes cups-pk-helper package, which may allow non-root user to change cups configuration, if system administrator grants them such privilege via PolicyKit (via the org.opensuse.cupspkhelper.mechanism.server-settings polkit action). cups-pk-helper performs configuration changes as root user, therefore the ConfigurationChangeRestriction configuration must be set to "all" to prevent such users from changing protected directives. cups-1.5.4-18.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0580 https://rhn.redhat.com/errata/RHSA-2013-0580.html |