When starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. When setting up the bind for unix sockets configured in the Listen parameters of the configuration file, the code does not check for a successful call to unlink and bind prior to performing the call to chmod. A sufficiently fast attacker could place a symbolic link at the configured location after the call to unlink, causing the bind to fail once again and performing a successful chmod.
Created cups tracking bugs for this issue: Affects: fedora-39 [bug 2291341] Affects: fedora-40 [bug 2291342]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4265 https://access.redhat.com/errata/RHSA-2024:4265
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:4580 https://access.redhat.com/errata/RHSA-2024:4580
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:4715 https://access.redhat.com/errata/RHSA-2024:4715
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4776 https://access.redhat.com/errata/RHSA-2024:4776
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:5644 https://access.redhat.com/errata/RHSA-2024:5644