Quoting from the upstream bug report http://cups.org/str.php?L3510: directory that is writable by unprivileged processes. This is a latent privilege escalation vulnerability. It can be exploited only in the presence of other CUPS vulnerabilities. Why this is privilege escalation -------------------------------- This is privilege escalation, because an unprivileged process can trick the CUPS server into overwriting arbitrary files as root. Example: drwxrwxr-x 4 root lp /var/cache/cups -rw-r----- 1 root lp /var/cache/cups/remote.cache This file is opened with cupsFileOpen() which simply opens the file with open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_LARGEFILE | O_BINARY, 0666). If a CUPS "external" program has a vulnerability, an attacker can use the group=lp privileges to replace /var/cache/cups/remote.cache with a symlink to a root-writable file. CUPS will then overwrite that file as root. A similar latent vulnerability exists for the state file /var/cache/cups/job.cache. Why this is a latent vulnerability ---------------------------------- This is a latent vulnerability, because there is no known exploit for CUPS "external" programs that run as user=lp, group=lp. The upstream fix looks more like a preventative fix as there does not seem to be anything exploitable here, so this looks like more a hardening than a response to an actual flaw.
Created cups tracking bugs for this issue Affects: fedora-all [bug 605399]
cups-1.4.4-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/cups-1.4.4-1.fc13
cups-1.4.4-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/cups-1.4.4-1.fc12
cups-1.4.4-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/cups-1.4.4-1.fc11
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2431 to this vulnerability: The cupsFileOpen function in CUPS before 1.4.4 allows local users, with lp group membership, to overwrite arbitrary files via a symlink attack on the (1) /var/cache/cups/remote.cache or (2) /var/cache/cups/job.cache file. With references: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2431 [2] http://cups.org/articles.php?L596 [3] http://cups.org/str.php?L3510
cups-1.4.4-4.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/cups-1.4.4-4.fc13
cups-1.4.4-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.4.4-5.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.4.4-5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0811 https://rhn.redhat.com/errata/RHSA-2010-0811.html
Statement: This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3 or 4. It was addressed in Red Hat Enterprise Linux 5 via RHSA-2010:0811.