Red Hat Bugzilla – Bug 605397
CVE-2010-2431 cups: latent privilege escalation vulnerability
Last modified: 2015-10-23 10:39:25 EDT
Quoting from the upstream bug report http://cups.org/str.php?L3510:
directory that is writable by unprivileged processes.
This is a latent privilege escalation vulnerability. It can be
exploited only in the presence of other CUPS vulnerabilities.
Why this is privilege escalation
This is privilege escalation, because an unprivileged process can
trick the CUPS server into overwriting arbitrary files as root.
drwxrwxr-x 4 root lp /var/cache/cups
-rw-r----- 1 root lp /var/cache/cups/remote.cache
This file is opened with cupsFileOpen() which simply opens the file
with open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_LARGEFILE |
If a CUPS "external" program has a vulnerability, an attacker can
use the group=lp privileges to replace /var/cache/cups/remote.cache
with a symlink to a root-writable file. CUPS will then overwrite
that file as root. A similar latent vulnerability exists for the
state file /var/cache/cups/job.cache.
Why this is a latent vulnerability
This is a latent vulnerability, because there is no known exploit
for CUPS "external" programs that run as user=lp, group=lp.
The upstream fix looks more like a preventative fix as there does not seem to be anything exploitable here, so this looks like more a hardening than a response to an actual flaw.
Created cups tracking bugs for this issue
Affects: fedora-all [bug 605399]
cups-1.4.4-1.fc13 has been submitted as an update for Fedora 13.
cups-1.4.4-1.fc12 has been submitted as an update for Fedora 12.
cups-1.4.4-1.fc11 has been submitted as an update for Fedora 11.
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2431 to
The cupsFileOpen function in CUPS before 1.4.4 allows local users,
with lp group membership, to overwrite arbitrary files via a symlink
attack on the (1) /var/cache/cups/remote.cache or (2)
cups-1.4.4-4.fc13 has been submitted as an update for Fedora 13.
cups-1.4.4-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.4.4-5.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.4.4-5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0811 https://rhn.redhat.com/errata/RHSA-2010-0811.html
This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3 or 4. It was addressed in Red Hat Enterprise Linux 5 via RHSA-2010:0811.