Bug 864515 - (CVE-2012-4510) CVE-2012-4510 cups-pk-helper: Insecure wrapping of cupsGetFile() and cupsPutFile() methods
CVE-2012-4510 cups-pk-helper: Insecure wrapping of cupsGetFile() and cupsPutF...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20121012,repor...
: Security
Depends On: 865815
Blocks: 864521
  Show dependency treegraph
 
Reported: 2012-10-09 09:33 EDT by Jan Lieskovsky
Modified: 2015-06-01 21:31 EDT (History)
4 users (show)

See Also:
Fixed In Version: cups-pk-helper 0.2.3
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the cupsGetFile() and cupsPutFile() functions of cups-pk-helper checked user IDs. If a local attacker performed a symbolic link attack, and was able to trick a CUPS administrator into approving the file transmission, the attacker could possibly use this flaw to access or modify certain system files, potentially leading to privilege escalation.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Relevant patch from Vincent Untz (11.88 KB, patch)
2012-10-09 09:36 EDT, Jan Lieskovsky
no flags Details | Diff
Updated patch from Vincent Untz (17.16 KB, patch)
2012-10-10 05:19 EDT, Jan Lieskovsky
no flags Details | Diff
Patch from Vincent Untz (17.38 KB, patch)
2012-10-10 08:01 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2012-10-09 09:33:08 EDT
A security flaw was found in the way wrapped file transmission routines (get / put a file from / to the CUPS server) of cups-pk-helper, an application which makes CUPS configuration interfaces available under control of PolicyKit, performed check of user ID prior performing the actual operation (get / put). If a local attacker performed a symbolic-link attack and was able to trick CUPS administrator into approving the file transmission, the adversary could use this flaw to obtain unauthorized access to certain system files or, possibly, modify / alter certain system files.

Acknowledgements:

Red Hat would like to thank Vincent Untz for reporting this issue.
Comment 2 Jan Lieskovsky 2012-10-09 09:36:20 EDT
Created attachment 624105 [details]
Relevant patch from Vincent Untz
Comment 4 Jan Lieskovsky 2012-10-09 09:47:43 EDT
This issue affects the version of the cups-pk-helper package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the cups-pk-helper package, as shipped with Fedora release of 16 and 17.
Comment 6 Jan Lieskovsky 2012-10-10 05:19:00 EDT
Created attachment 624699 [details]
Updated patch from Vincent Untz
Comment 7 Tomas Hoger 2012-10-10 08:01:07 EDT
Created attachment 624821 [details]
Patch from Vincent Untz

Corrected patch from upstream
Comment 8 Jan Lieskovsky 2012-10-10 08:35:07 EDT
The CVE identifier of CVE-2012-4510 has been assigned to this issue.
Comment 9 Jan Lieskovsky 2012-10-12 09:51:02 EDT
Public via:
http://www.openwall.com/lists/oss-security/2012/10/12/2
Comment 10 Jan Lieskovsky 2012-10-12 09:52:26 EDT
Created cups-pk-helper tracking bugs for this issue

Affects: fedora-all [bug 865815]
Comment 12 Francisco Alonso 2015-03-11 08:41:54 EDT
External reference:

(none)

Note You need to log in before you can comment on or make changes to this bug.