Bug 449746 (CVE-2008-1033) - CVE-2008-1033 cups: password disclosure via debug log
Summary: CVE-2008-1033 cups: password disclosure via debug log
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1033
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-03 11:19 UTC by Tomas Hoger
Modified: 2021-11-12 19:48 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-06-03 11:43:12 UTC
Embargoed:

Attachments (Terms of Use)

Description Tomas Hoger 2008-06-03 11:19:33 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1033 to the following vulnerability:

The scheduler in CUPS in Apple Mac OS X 10.5 before 10.5.3, when debug logging
is enabled and a printer requires a password, allows attackers to obtain
sensitive information (credentials) by reading the log data, related to
"authentication environment variables."

References:
http://lists.apple.com/archives/security-announce/2008/May/msg00001.html
http://xforce.iss.net/xforce/xfdb/42713
Comment 1 Tomas Hoger 2008-06-03 11:29:08 UTC 
This issue does not affect cups packages as shipped in Red Hat Enterprise Linux
3, 4 and 5.  Support for job authentication was only introduced in CUPS 1.3.x.
Comment 2 Tomas Hoger 2008-06-03 11:40:17 UTC 
Gory details:

SVN r6576 added code that exported authentication data to environment:

  r6576 | mike | 2007-06-20 02:23:32 +0200 (Wed, 20 Jun 2007) | 20 lines

  Add new AUTH_USERNAME, AUTH_DOMAIN, and AUTH_PASSWORD environment variables
  when printing a job.  This allows us to run the IPP backend as "lp" and will
  allow other backends to support proxy authentication without running as root.

  svn diff -c 6576 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

SVN r6579 added check to prevent leaking of authentication credentials to debug log.

  svn diff -c 6579 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

However, this check was accidentally broken in SVN r7233 which was supposed to
fix HP-UX compilation issues.  Correct check that prevented logging of
environment variables with names starting with 'AUTH_' was replaced with
incorrect check testing for 'CUPSD_AUTH_' prefix (CUPSD actually, as string
length was not fixed in the commit).

  http://cups.org/str.php?L2679
  svn diff -c 7233 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

Broken check was fixed again in SVN r7377:

  http://cups.org/str.php?L2751
  svn diff -c 7377 http://svn.easysw.com/public/cups/trunk/scheduler/job.c

It seems that the incorrect check only appeared in the upstream version 1.3.6. 
Versions 1.3.5 and 1.3.7 have correct checks.
Comment 4 Tomas Hoger 2008-06-03 11:43:12 UTC 
Fedora is currently not affected by this issue.  F7 ships unaffected cups
1.2.12.  F8, F9 and Rawhide were already updated to a fixed upstream version 1.3.7.
Note You need to log in before you can comment on or make changes to this bug.