Bug 163274 - cups location case sensitivity - CAN-2004-2154
cups location case sensitivity - CAN-2004-2154
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: cups (Show other bugs)
fc2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, rhl73, rhl9, 1, 2
: Security
: 163275 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-14 14:21 EDT by Jeff Sheltren
Modified: 2007-04-18 13:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-14 22:05:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Sheltren 2005-07-14 14:21:39 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5

Description of problem:
When processing a request, the CUPS scheduler would use case-sensitive
matching on the queue name to decide which authorization policy should be
used. However, queue names are not case-sensitive. An unauthorized user
could print to a password-protected queue without needing a password. The
Common Vulnerabilities and Exposures project has assigned the name
CAN-2005-2154 to this issue. 

See:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162405
and
http://rhn.redhat.com/errata/RHSA-2005-571.html

I am working on updated packages for RH7.3, RH9, FC1 & FC2

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1...
2.
3.
  

Additional info:
Comment 1 Jeff Sheltren 2005-07-14 14:24:19 EDT
*** Bug 163275 has been marked as a duplicate of this bug. ***
Comment 2 Jeff Sheltren 2005-07-14 14:52:50 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created packages using the cups-str700.patch from RHEL3 package.

RH7.3:
http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.14-15.4.5.legacy.src.rpm
84dac0a7a7fd22931b6af54200c3edd174b36aec  cups-1.1.14-15.4.5.legacy.src.rpm

RH9:
http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.17-13.3.0.14.legacy.src.rpm
bd1e28c25c408603eeb30de759697a514e3ad7a4  cups-1.1.17-13.3.0.14.legacy.src.rpm

FC1:
http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.19-13.9.legacy.src.rpm
0b755ea65898d20d74e53d320d244fde7d92cd69  cups-1.1.19-13.9.legacy.src.rpm

FC2:
http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.20-11.11.1.legacy.src.rpm
2153b4e79a658c34214a378cf71c8615ef1813df  cups-1.1.20-11.11.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC1rPXKe7MLJjUbNMRAtD8AKCpJkKidXS0GViSAu2wGSwmmpgwBQCgibJi
HWdlnWeg0oiNfQf0fHNPoLQ=
=YGqY
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2005-07-15 08:56:58 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity OK
 - spec file changes minimal
 - patch verified to come from RHEL3

Minor nit: the changelog entries could provide a pointer to this bug number.
This can be fixed at buildtime if needed.

+PUBLISH RHL73, RHL9, FC1, FC2

84dac0a7a7fd22931b6af54200c3edd174b36aec  cups-1.1.14-15.4.5.legacy.src.rpm
bd1e28c25c408603eeb30de759697a514e3ad7a4  cups-1.1.17-13.3.0.14.legacy.src.rpm
0b755ea65898d20d74e53d320d244fde7d92cd69  cups-1.1.19-13.9.legacy.src.rpm
2153b4e79a658c34214a378cf71c8615ef1813df  cups-1.1.20-11.11.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC17KFGHbTkzxSL7QRAsWAAKCbM1LBppBp0bz2gC2uUCp63GDKQwCgvQm6
eDxE1k4yA0EpKVmxJA5Cokw=
=Dni8
-----END PGP SIGNATURE-----
Comment 4 Jeff Sheltren 2005-07-15 09:17:14 EDT
Hi Pekka, thanks for the publish vote.  What do you mean about a pointer to this
bug?  I thought that's what I was doing:

%changelog
* Thu Jul 14 2005 Jeff Sheltren <sheltren@cs.ucsb.edu> 1:1.1.20-11.11.1.legacy
- Fix for CAN-2004-2154 (#163274)   <------ that's the bug #
Comment 5 Pekka Savola 2005-07-15 09:24:46 EDT
Sorry, yes, you're right, and that's OK.  I overlooked it because it was in such
a terse format (which is fine, of course).  I should have looked closer.
Comment 6 Marc Deslauriers 2005-07-16 14:57:45 EDT
Packages were pushed to updates-testing.
Comment 7 Pekka Savola 2005-07-30 02:20:32 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL73:
 - signature OK
 - rpm-build-compare.sh filelists OK, only changes to cupsd
 - upgrades OK
 - printing still works

+VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC6xveGHbTkzxSL7QRAvlXAKCAaLZSP+OdTzyHeud3DBgw+kbCNQCfV/Rw
WQ4mRbV6cYEubgkbb4i0SrU=
=rp1m
-----END PGP SIGNATURE-----
Comment 8 Jeff Sheltren 2005-08-28 14:49:08 EDT
Timeout was reached on these
Comment 9 David Eisenstein 2005-08-28 16:12:42 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA on Fedora Core 1 cups packages, for bug # 163274:

97265e88f58dde6d0a9956ef9de0fce61c256077
     cups-1.1.19-13.9.legacy.i386.rpm

cb73c7d7e91cff10fab3c11a63dbcb002f1242d9
     cups-devel-1.1.19-13.9.legacy.i386.rpm

d3ae92680bbadfa11ce5f0c92c8243950e92d441
     cups-libs-1.1.19-13.9.legacy.i386.rpm

  *  SHA1SUMs verify from PGP-signed Test Update Notification
  *  rpm --checksig OK on all packages
  *  packages installed (upgraded) fine.  No config files were altered.

  *  running CUPS through its paces via web-browser to http://localhost:631/
     seems to work well.

  *  $ lpr file.txt               \
     $ lpr -P Samsung file.txt     \     All prompt properly for a password
     $ lpr -P sAmSuNg file.txt     /     for an unprivileged account.  Will
     $ lpr -P SaMsUnG file.txt    /      not print without it.

  *  User manpages and documents are accessible,
  *  Does not allow user to manipulate jobs s/he doesn't own.
  *  Seems to print okay, printed Fedora Legacy Test Update Notification 
     2005-163274 just fine.  :-)

  VERIFY++

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDEhorxou1V/j9XZwRAoqWAKDjcpsVHNC2+EnL4wSIYdSADBfMWwCeNXkv
DVvgRWe7AuS+2qnLney0jZo=
=N7B5
-----END PGP SIGNATURE-----
Comment 10 Marc Deslauriers 2005-09-14 22:05:18 EDT
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.