A flaw was found in the way some Linux Operating Systems install cups. If the default permissions of /var/log/cups allows the 'lp' user to write new files and that the cups daemon runs with root permissions, an attacker with access to the 'lp' user could use this flaw carry on a symlink attack. However, because cupsd verifies wether the path is a symlink after opening it, the flaw can be used only to create empty files in arbitrary locations, or to force open()/close() system calls on arbitrary locations. Because the code will correct the /var/log/cups permissions after the fail, the attacker can carry this attack only once. # ps -FC cupsd UID PID PPID C SZ RSS PSR STIME TTY TIME CMD root 18686 1 0 86575 9900 0 07:55 ? 00:00:00 /usr/sbin/cupsd -l # ls -ld /var/log/cups/ drwxr-xr-x. 2 lp sys 68 Apr 14 07:39 /var/log/cups/
Acknowledgments: Name: Matthias Gerstner
Statement: This issue does not affect the upstream CUPS, only the CUPS versions as packaged by some OS vendors.
Created cups tracking bugs for this issue: Affects: fedora-all [bug 1955090]