Bug 864515 (CVE-2012-4510) - CVE-2012-4510 cups-pk-helper: Insecure wrapping of cupsGetFile() and cupsPutFile() methods
Summary: CVE-2012-4510 cups-pk-helper: Insecure wrapping of cupsGetFile() and cupsPutF...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2012-4510
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 865815
Blocks: 864521
TreeView+ depends on / blocked
 
Reported: 2012-10-09 13:33 UTC by Jan Lieskovsky
Modified: 2023-09-25 12:31 UTC (History)
3 users (show)

Fixed In Version: cups-pk-helper 0.2.3
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the cupsGetFile() and cupsPutFile() functions of cups-pk-helper checked user IDs. If a local attacker performed a symbolic link attack, and was able to trick a CUPS administrator into approving the file transmission, the attacker could possibly use this flaw to access or modify certain system files, potentially leading to privilege escalation.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:59:27 UTC
Embargoed:

Attachments (Terms of Use)
Relevant patch from Vincent Untz (11.88 KB, patch)
2012-10-09 13:36 UTC, Jan Lieskovsky 		no flags Details | Diff
Updated patch from Vincent Untz (17.16 KB, patch)
2012-10-10 09:19 UTC, Jan Lieskovsky 		no flags Details | Diff
Patch from Vincent Untz (17.38 KB, patch)
2012-10-10 12:01 UTC, Tomas Hoger 		no flags Details | Diff
Show Obsolete (2) View All

Description Jan Lieskovsky 2012-10-09 13:33:08 UTC 
A security flaw was found in the way wrapped file transmission routines (get / put a file from / to the CUPS server) of cups-pk-helper, an application which makes CUPS configuration interfaces available under control of PolicyKit, performed check of user ID prior performing the actual operation (get / put). If a local attacker performed a symbolic-link attack and was able to trick CUPS administrator into approving the file transmission, the adversary could use this flaw to obtain unauthorized access to certain system files or, possibly, modify / alter certain system files.

Acknowledgements:

Red Hat would like to thank Vincent Untz for reporting this issue.
Comment 2 Jan Lieskovsky 2012-10-09 13:36:20 UTC 
Created attachment 624105 [details]
Relevant patch from Vincent Untz
Comment 4 Jan Lieskovsky 2012-10-09 13:47:43 UTC 
This issue affects the version of the cups-pk-helper package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the cups-pk-helper package, as shipped with Fedora release of 16 and 17.
Comment 6 Jan Lieskovsky 2012-10-10 09:19:00 UTC 
Created attachment 624699 [details]
Updated patch from Vincent Untz
Comment 7 Tomas Hoger 2012-10-10 12:01:07 UTC 
Created attachment 624821 [details]
Patch from Vincent Untz

Corrected patch from upstream
Comment 8 Jan Lieskovsky 2012-10-10 12:35:07 UTC 
The CVE identifier of CVE-2012-4510 has been assigned to this issue.
Comment 9 Jan Lieskovsky 2012-10-12 13:51:02 UTC 
Public via:
http://www.openwall.com/lists/oss-security/2012/10/12/2
Comment 10 Jan Lieskovsky 2012-10-12 13:52:26 UTC 
Created cups-pk-helper tracking bugs for this issue

Affects: fedora-all [bug 865815]
Comment 12 Francisco Alonso 2015-03-11 12:41:54 UTC 
External reference:

(none)
Comment 13 Tomas Hoger 2015-03-25 16:11:40 UTC 
Upstream commit:

http://cgit.freedesktop.org/cups-pk-helper/commit/?id=6995d30816f0c76844dee4dc9022296a03258457
Note You need to log in before you can comment on or make changes to this bug.