From Bugzilla Helper: User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 Description of problem: When processing a request, the CUPS scheduler would use case-sensitive matching on the queue name to decide which authorization policy should be used. However, queue names are not case-sensitive. An unauthorized user could print to a password-protected queue without needing a password. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2154 to this issue. See: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162405 and http://rhn.redhat.com/errata/RHSA-2005-571.html I am working on updated packages for RH7.3, RH9, FC1 & FC2 Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1... 2. 3. Additional info:
*** Bug 163275 has been marked as a duplicate of this bug. ***
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've created packages using the cups-str700.patch from RHEL3 package. RH7.3: http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.14-15.4.5.legacy.src.rpm 84dac0a7a7fd22931b6af54200c3edd174b36aec cups-1.1.14-15.4.5.legacy.src.rpm RH9: http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.17-13.3.0.14.legacy.src.rpm bd1e28c25c408603eeb30de759697a514e3ad7a4 cups-1.1.17-13.3.0.14.legacy.src.rpm FC1: http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.19-13.9.legacy.src.rpm 0b755ea65898d20d74e53d320d244fde7d92cd69 cups-1.1.19-13.9.legacy.src.rpm FC2: http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.20-11.11.1.legacy.src.rpm 2153b4e79a658c34214a378cf71c8615ef1813df cups-1.1.20-11.11.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFC1rPXKe7MLJjUbNMRAtD8AKCpJkKidXS0GViSAu2wGSwmmpgwBQCgibJi HWdlnWeg0oiNfQf0fHNPoLQ= =YGqY -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity OK - spec file changes minimal - patch verified to come from RHEL3 Minor nit: the changelog entries could provide a pointer to this bug number. This can be fixed at buildtime if needed. +PUBLISH RHL73, RHL9, FC1, FC2 84dac0a7a7fd22931b6af54200c3edd174b36aec cups-1.1.14-15.4.5.legacy.src.rpm bd1e28c25c408603eeb30de759697a514e3ad7a4 cups-1.1.17-13.3.0.14.legacy.src.rpm 0b755ea65898d20d74e53d320d244fde7d92cd69 cups-1.1.19-13.9.legacy.src.rpm 2153b4e79a658c34214a378cf71c8615ef1813df cups-1.1.20-11.11.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFC17KFGHbTkzxSL7QRAsWAAKCbM1LBppBp0bz2gC2uUCp63GDKQwCgvQm6 eDxE1k4yA0EpKVmxJA5Cokw= =Dni8 -----END PGP SIGNATURE-----
Hi Pekka, thanks for the publish vote. What do you mean about a pointer to this bug? I thought that's what I was doing: %changelog * Thu Jul 14 2005 Jeff Sheltren <sheltren.edu> 1:1.1.20-11.11.1.legacy - Fix for CAN-2004-2154 (#163274) <------ that's the bug #
Sorry, yes, you're right, and that's OK. I overlooked it because it was in such a terse format (which is fine, of course). I should have looked closer.
Packages were pushed to updates-testing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73: - signature OK - rpm-build-compare.sh filelists OK, only changes to cupsd - upgrades OK - printing still works +VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFC6xveGHbTkzxSL7QRAvlXAKCAaLZSP+OdTzyHeud3DBgw+kbCNQCfV/Rw WQ4mRbV6cYEubgkbb4i0SrU= =rp1m -----END PGP SIGNATURE-----
Timeout was reached on these
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA on Fedora Core 1 cups packages, for bug # 163274: 97265e88f58dde6d0a9956ef9de0fce61c256077 cups-1.1.19-13.9.legacy.i386.rpm cb73c7d7e91cff10fab3c11a63dbcb002f1242d9 cups-devel-1.1.19-13.9.legacy.i386.rpm d3ae92680bbadfa11ce5f0c92c8243950e92d441 cups-libs-1.1.19-13.9.legacy.i386.rpm * SHA1SUMs verify from PGP-signed Test Update Notification * rpm --checksig OK on all packages * packages installed (upgraded) fine. No config files were altered. * running CUPS through its paces via web-browser to http://localhost:631/ seems to work well. * $ lpr file.txt \ $ lpr -P Samsung file.txt \ All prompt properly for a password $ lpr -P sAmSuNg file.txt / for an unprivileged account. Will $ lpr -P SaMsUnG file.txt / not print without it. * User manpages and documents are accessible, * Does not allow user to manipulate jobs s/he doesn't own. * Seems to print okay, printed Fedora Legacy Test Update Notification 2005-163274 just fine. :-) VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDEhorxou1V/j9XZwRAoqWAKDjcpsVHNC2+EnL4wSIYdSADBfMWwCeNXkv DVvgRWe7AuS+2qnLney0jZo= =N7B5 -----END PGP SIGNATURE-----
Packages were released.