A security flaw was found in the way wrapped file transmission routines (get / put a file from / to the CUPS server) of cups-pk-helper, an application which makes CUPS configuration interfaces available under control of PolicyKit, performed check of user ID prior performing the actual operation (get / put). If a local attacker performed a symbolic-link attack and was able to trick CUPS administrator into approving the file transmission, the adversary could use this flaw to obtain unauthorized access to certain system files or, possibly, modify / alter certain system files. Acknowledgements: Red Hat would like to thank Vincent Untz for reporting this issue.
Created attachment 624105 [details] Relevant patch from Vincent Untz
This issue affects the version of the cups-pk-helper package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the cups-pk-helper package, as shipped with Fedora release of 16 and 17.
Created attachment 624699 [details] Updated patch from Vincent Untz
Created attachment 624821 [details] Patch from Vincent Untz Corrected patch from upstream
The CVE identifier of CVE-2012-4510 has been assigned to this issue.
Public via: http://www.openwall.com/lists/oss-security/2012/10/12/2
Created cups-pk-helper tracking bugs for this issue Affects: fedora-all [bug 865815]
External reference: (none)
Upstream commit: http://cgit.freedesktop.org/cups-pk-helper/commit/?id=6995d30816f0c76844dee4dc9022296a03258457