Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1033 to the following vulnerability:
The scheduler in CUPS in Apple Mac OS X 10.5 before 10.5.3, when debug logging
is enabled and a printer requires a password, allows attackers to obtain
sensitive information (credentials) by reading the log data, related to
"authentication environment variables."
This issue does not affect cups packages as shipped in Red Hat Enterprise Linux
3, 4 and 5. Support for job authentication was only introduced in CUPS 1.3.x.
SVN r6576 added code that exported authentication data to environment:
r6576 | mike | 2007-06-20 02:23:32 +0200 (Wed, 20 Jun 2007) | 20 lines
Add new AUTH_USERNAME, AUTH_DOMAIN, and AUTH_PASSWORD environment variables
when printing a job. This allows us to run the IPP backend as "lp" and will
allow other backends to support proxy authentication without running as root.
svn diff -c 6576 http://svn.easysw.com/public/cups/trunk/scheduler/job.c
SVN r6579 added check to prevent leaking of authentication credentials to debug log.
svn diff -c 6579 http://svn.easysw.com/public/cups/trunk/scheduler/job.c
However, this check was accidentally broken in SVN r7233 which was supposed to
fix HP-UX compilation issues. Correct check that prevented logging of
environment variables with names starting with 'AUTH_' was replaced with
incorrect check testing for 'CUPSD_AUTH_' prefix (CUPSD actually, as string
length was not fixed in the commit).
svn diff -c 7233 http://svn.easysw.com/public/cups/trunk/scheduler/job.c
Broken check was fixed again in SVN r7377:
svn diff -c 7377 http://svn.easysw.com/public/cups/trunk/scheduler/job.c
It seems that the incorrect check only appeared in the upstream version 1.3.6.
Versions 1.3.5 and 1.3.7 have correct checks.
Fedora is currently not affected by this issue. F7 ships unaffected cups
1.2.12. F8, F9 and Rawhide were already updated to a fixed upstream version 1.3.7.