12257 – cups new security issue in lppasswd fixed upstream in 1.7.1 (CVE-2013-6891)

Bug 12257 - cups new security issue in lppasswd fixed upstream in 1.7.1 (CVE-2013-6891)

Summary: cups new security issue in lppasswd fixed upstream in 1.7.1 (CVE-2013-6891)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/580763/
Whiteboard:	advisory has_procedure mga3-32-ok mga...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-01-09 18:23 CET by David Walser
Modified:	2014-01-21 17:42 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	cups-1.7.0-4.mga4.src.rpm
CVE:	CVE-2013-6891
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-01-09 18:23:55 CET

http://www.cups.org/ shows that 1.7.1 fixes this:
http://www.cups.org/str.php?L4319

It's not entirely clear if the CVE-2013-6891 mentioned in that bug is for this issue.

This should affect us since our lppasswd binary is setuid.  This is the case in Mageia 3 as well.

Reproducible: 

Steps to Reproduce:

David Walser 2014-01-09 18:24:08 CET

Whiteboard: (none) => MGA3TOO

David Walser 2014-01-12 17:56:55 CET

Blocks: (none) => 11726

Comment 1 David Walser 2014-01-16 17:49:24 CET

Ubuntu has issued an advisory for this on January 15:
http://www.ubuntu.com/usn/usn-2082-1/

It appears the CVE reference is correct.

URL: (none) => http://lwn.net/Vulnerabilities/580763/
Summary: cups new security issue in lppasswd fixed upstream in 1.7.1 => cups new security issue in lppasswd fixed upstream in 1.7.1 (CVE-2013-6891)

Comment 2 Oden Eriksson 2014-01-16 18:57:45 CET

fixed with cups-1.5.4-9.1.mga3

fixed in cauldron, needs to be submitted.

CC: (none) => oe

Comment 3 David Walser 2014-01-18 21:48:19 CET

cups-1.7.0-5.mga4 uploaded for Cauldron.

Assigning Mageia 3 update to QA.

Advisory:
========================

Updated cups packages fix security vulnerability:

Jann Horn discovered that the CUPS lppasswd tool incorrectly read a user
configuration file in certain configurations. A local attacker could use
this to read sensitive information from certain files, bypassing access
restrictions (CVE-2013-6891).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6891
http://www.cups.org/str.php?L4319
http://www.ubuntu.com/usn/usn-2082-1/
========================

Updated packages in core/updates_testing:
========================
cups-1.5.4-9.1.mga3
cups-common-1.5.4-9.1.mga3
cups-serial-1.5.4-9.1.mga3
libcups2-1.5.4-9.1.mga3
libcups2-devel-1.5.4-9.1.mga3
php-cups-1.5.4-9.1.mga3

from cups-1.5.4-9.1.mga3.src.rpm

Version: Cauldron => 3
Blocks: 11726 => (none)
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA3TOO => (none)

David Walser 2014-01-18 21:48:39 CET

Severity: normal => major

Comment 4 Bill Wilkinson 2014-01-20 17:52:13 CET

No PoC on Securityfocus.

Installed update mga3-32, printed an email which printed as expected.

CC: (none) => wrw105
Whiteboard: (none) => mga3-32-ok

Comment 5 Bill Wilkinson 2014-01-20 18:18:43 CET

Installed update mga3-64, which prints to the mga3-32 box.  Printed a LibreOffice document, all OK.

Ready to validate when advisory is uploaded to svn.

Whiteboard: mga3-32-ok => mga3-32-ok mga3-64-OK

Comment 6 claire robinson 2014-01-20 18:29:07 CET

Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: mga3-32-ok mga3-64-OK => advisory has_procedure mga3-32-ok mga3-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-01-21 17:42:53 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0021.html

Status: NEW => RESOLVED
CC: (none) => tmb
CVE: (none) => CVE-2013-6891
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.