Bug 2290318 (CVE-2024-35235) - CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
Summary: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
Keywords:
Status: NEW
Alias: CVE-2024-35235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2291341 2291342
Blocks: 2290319
TreeView+ depends on / blocked
 
Reported: 2024-06-04 02:55 UTC by Avinash Hanwate
Modified: 2024-10-10 13:51 UTC (History)
5 users (show)

Fixed In Version: CUPS 2.4.9
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the cupsd server. When starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Since cupsd is often running as root, this issue can result in the change of permission of any user or system files to be world writable.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4511 0 None None None 2024-07-11 14:13:09 UTC
Red Hat Product Errata RHBA-2024:4536 0 None None None 2024-07-15 11:22:39 UTC
Red Hat Product Errata RHBA-2024:4600 0 None None None 2024-07-17 19:00:18 UTC
Red Hat Product Errata RHBA-2024:4869 0 None None None 2024-07-25 13:28:20 UTC
Red Hat Product Errata RHBA-2024:4980 0 None None None 2024-08-01 15:55:11 UTC
Red Hat Product Errata RHBA-2024:5575 0 None None None 2024-08-19 16:22:41 UTC
Red Hat Product Errata RHBA-2024:5653 0 None None None 2024-08-20 18:06:30 UTC
Red Hat Product Errata RHSA-2024:4265 0 None None None 2024-07-02 15:26:56 UTC
Red Hat Product Errata RHSA-2024:4580 0 None None None 2024-07-16 18:55:47 UTC
Red Hat Product Errata RHSA-2024:4715 0 None None None 2024-07-23 08:41:48 UTC
Red Hat Product Errata RHSA-2024:4776 0 None None None 2024-07-23 16:24:08 UTC
Red Hat Product Errata RHSA-2024:5644 0 None None None 2024-08-20 16:08:22 UTC

Description Avinash Hanwate 2024-06-04 02:55:31 UTC
When starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target.

When setting up the bind for unix sockets configured in the Listen parameters of the configuration file, the code does not check for a successful call to unlink and bind prior to performing the call to chmod. A sufficiently fast attacker could place a symbolic link at the configured location after the call to unlink, causing the bind to fail once again and performing a successful chmod.

Comment 4 Mauro Matteo Cascella 2024-06-11 15:44:33 UTC
Created cups tracking bugs for this issue:

Affects: fedora-39 [bug 2291341]
Affects: fedora-40 [bug 2291342]

Comment 5 errata-xmlrpc 2024-07-02 15:26:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4265 https://access.redhat.com/errata/RHSA-2024:4265

Comment 6 errata-xmlrpc 2024-07-16 18:55:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:4580 https://access.redhat.com/errata/RHSA-2024:4580

Comment 7 errata-xmlrpc 2024-07-23 08:41:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:4715 https://access.redhat.com/errata/RHSA-2024:4715

Comment 8 errata-xmlrpc 2024-07-23 16:24:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4776 https://access.redhat.com/errata/RHSA-2024:4776

Comment 9 errata-xmlrpc 2024-08-20 16:08:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5644 https://access.redhat.com/errata/RHSA-2024:5644


Note You need to log in before you can comment on or make changes to this bug.