Bug 449746 - (CVE-2008-1033) CVE-2008-1033 cups: password disclosure via debug log
CVE-2008-1033 cups: password disclosure via debug log
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2008-06-03 07:19 EDT by Tomas Hoger
Modified: 2008-06-03 07:43 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-03 07:43:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-06-03 07:19:33 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1033 to the following vulnerability:

The scheduler in CUPS in Apple Mac OS X 10.5 before 10.5.3, when debug logging
is enabled and a printer requires a password, allows attackers to obtain
sensitive information (credentials) by reading the log data, related to
"authentication environment variables."

Comment 1 Tomas Hoger 2008-06-03 07:29:08 EDT
This issue does not affect cups packages as shipped in Red Hat Enterprise Linux
3, 4 and 5.  Support for job authentication was only introduced in CUPS 1.3.x.
Comment 2 Tomas Hoger 2008-06-03 07:40:17 EDT
Gory details:

SVN r6576 added code that exported authentication data to environment:

  r6576 | mike | 2007-06-20 02:23:32 +0200 (Wed, 20 Jun 2007) | 20 lines

  Add new AUTH_USERNAME, AUTH_DOMAIN, and AUTH_PASSWORD environment variables
  when printing a job.  This allows us to run the IPP backend as "lp" and will
  allow other backends to support proxy authentication without running as root.

  svn diff -c 6576 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

SVN r6579 added check to prevent leaking of authentication credentials to debug log.

  svn diff -c 6579 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

However, this check was accidentally broken in SVN r7233 which was supposed to
fix HP-UX compilation issues.  Correct check that prevented logging of
environment variables with names starting with 'AUTH_' was replaced with
incorrect check testing for 'CUPSD_AUTH_' prefix (CUPSD actually, as string
length was not fixed in the commit).

  svn diff -c 7233 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

Broken check was fixed again in SVN r7377:

  svn diff -c 7377 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

It seems that the incorrect check only appeared in the upstream version 1.3.6. 
Versions 1.3.5 and 1.3.7 have correct checks.
Comment 4 Tomas Hoger 2008-06-03 07:43:12 EDT
Fedora is currently not affected by this issue.  F7 ships unaffected cups
1.2.12.  F8, F9 and Rawhide were already updated to a fixed upstream version 1.3.7.

Note You need to log in before you can comment on or make changes to this bug.