Bug 12257

Summary: cups new security issue in lppasswd fixed upstream in 1.7.1 (CVE-2013-6891)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: oe, sysadmin-bugs, tmb, wrw105
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/580763/
Whiteboard: advisory has_procedure mga3-32-ok mga3-64-OK
Source RPM: cups-1.7.0-4.mga4.src.rpm CVE: CVE-2013-6891
Status comment:

Description David Walser 2014-01-09 18:23:55 CET 
http://www.cups.org/ shows that 1.7.1 fixes this:
http://www.cups.org/str.php?L4319

It's not entirely clear if the CVE-2013-6891 mentioned in that bug is for this issue.

This should affect us since our lppasswd binary is setuid.  This is the case in Mageia 3 as well.

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-09 18:24:08 CET

Whiteboard: (none) => MGA3TOO

David Walser 2014-01-12 17:56:55 CET

Blocks: (none) => 11726

Comment 1 David Walser 2014-01-16 17:49:24 CET 
Ubuntu has issued an advisory for this on January 15:
http://www.ubuntu.com/usn/usn-2082-1/

It appears the CVE reference is correct.

URL: (none) => http://lwn.net/Vulnerabilities/580763/
Summary: cups new security issue in lppasswd fixed upstream in 1.7.1 => cups new security issue in lppasswd fixed upstream in 1.7.1 (CVE-2013-6891)

Comment 2 Oden Eriksson 2014-01-16 18:57:45 CET 
fixed with cups-1.5.4-9.1.mga3

fixed in cauldron, needs to be submitted.

CC: (none) => oe

Comment 3 David Walser 2014-01-18 21:48:19 CET 
cups-1.7.0-5.mga4 uploaded for Cauldron.

Assigning Mageia 3 update to QA.

Advisory:
========================

Updated cups packages fix security vulnerability:

Jann Horn discovered that the CUPS lppasswd tool incorrectly read a user
configuration file in certain configurations. A local attacker could use
this to read sensitive information from certain files, bypassing access
restrictions (CVE-2013-6891).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6891
http://www.cups.org/str.php?L4319
http://www.ubuntu.com/usn/usn-2082-1/
========================

Updated packages in core/updates_testing:
========================
cups-1.5.4-9.1.mga3
cups-common-1.5.4-9.1.mga3
cups-serial-1.5.4-9.1.mga3
libcups2-1.5.4-9.1.mga3
libcups2-devel-1.5.4-9.1.mga3
php-cups-1.5.4-9.1.mga3

from cups-1.5.4-9.1.mga3.src.rpm

Version: Cauldron => 3
Blocks: 11726 => (none)
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA3TOO => (none)

David Walser 2014-01-18 21:48:39 CET

Severity: normal => major

Comment 4 Bill Wilkinson 2014-01-20 17:52:13 CET 
No PoC on Securityfocus.

Installed update mga3-32, printed an email which printed as expected.

CC: (none) => wrw105
Whiteboard: (none) => mga3-32-ok

Comment 5 Bill Wilkinson 2014-01-20 18:18:43 CET 
Installed update mga3-64, which prints to the mga3-32 box.  Printed a LibreOffice document, all OK.

Ready to validate when advisory is uploaded to svn.

Whiteboard: mga3-32-ok => mga3-32-ok mga3-64-OK

Comment 6 claire robinson 2014-01-20 18:29:07 CET 
Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: mga3-32-ok mga3-64-OK => advisory has_procedure mga3-32-ok mga3-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-01-21 17:42:53 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0021.html

Status: NEW => RESOLVED
CC: (none) => tmb
CVE: (none) => CVE-2013-6891
Resolution: (none) => FIXED