CUPS 1.7.2 has been released: http://www.cups.org/blog.php?L717 It fixes a security issue in the web interface: http://www.cups.org/str.php?L4356 The patch is here: http://www.cups.org/strfiles.php/3268/str4356.patch I don't know if a CVE will be allocated for this. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
CVE request: http://openwall.com/lists/oss-security/2014/04/14/2
CVE-2014-2856 has been assigned: http://openwall.com/lists/oss-security/2014/04/15/3
Summary: cups new web interface XSS security issue fixed in 1.7.2 => cups new web interface XSS security issue fixed in 1.7.2 (CVE-2014-2856)
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. RedHat said they were unable to reproduce the issue, but I haven't seen any specific PoC information. Advisory: ======================== Updated cups packages fix security vulnerability: Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function (CVE-2014-2856). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2856 http://www.cups.org/str.php?L4356 ======================== Updated packages in core/updates_testing: ======================== cups-1.5.4-9.2.mga3 cups-common-1.5.4-9.2.mga3 libcups2-1.5.4-9.2.mga3 libcups2-devel-1.5.4-9.2.mga3 cups-serial-1.5.4-9.2.mga3 php-cups-1.5.4-9.2.mga3cups-1.7.0-7.1.mga4 cups-common-1.7.0-7.1.mga4 libcups2-devel-1.7.0-7.1.mga4 libcups2-1.7.0-7.1.mga4 cups-filesystem-1.7.0-7.1.mga4 from SRPMS: cups-1.5.4-9.2.mga3.src.rpm cups-1.7.0-7.1.mga4.src.rpm
Version: Cauldron => 4Assignee: thierry.vignaud => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOOSeverity: normal => major
PoC: $ curl "http://localhost:631/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml" General testing, ensure the web interface at http://localhost:631 is still functional and printing works as expected.
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Better PoC: http://localhost:631/<SCRIPT>alert(123);</SCRIPT>.shtml It should produce a popup alert with 123 as text. It doesn't here mga4 64, just shows 'Not Found', and wasn't reproduced by cups devs either. Assume it must need some special setup. Confirmed the patch has been applied with madb. I'll test the update shortly.
Testing complete mga4 64 and mga3 32
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
Testing complete mga4 32 Needs testing mga3 64 to validate
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0193.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/596237/