Bug 7895 - cups-pk-helper new security issue CVE-2012-4510
: cups-pk-helper new security issue CVE-2012-4510
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/520969/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-24 20:43 CEST by David Walser
Modified: 2012-10-29 00:57 CET (History)
3 users (show)

See Also:
Source RPM: cups-pk-helper-0.2.1-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-10-24 20:43:01 CEST
Debian has issued an advisory on October 23:
http://www.debian.org/security/2012/dsa-2562

Updated package uploaded for Cauldron; patched package uploaded for Mageia 2.

Advisory:
========================

Updated cups-pk-helper package fixes security vulnerability:

cups-pk-helper, a PolicyKit helper to configure CUPS with fine-grained
privileges, wraps CUPS function calls in an insecure way. This could lead to
uploading sensitive data to a CUPS resource, or overwriting specific files
with the content of a CUPS resource. The user would have to explicitly
approve the action (CVE-2012-4510).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4510
http://www.debian.org/security/2012/dsa-2562
========================

Updated packages in core/updates_testing:
========================
cups-pk-helper-0.2.1-1.1.mga2

from cups-pk-helper-0.2.1-1.1.mga2.src.rpm
Comment 1 Dave Hodgins 2012-10-26 04:09:31 CEST
No public poc that I've been able to find.

As /usr/lib64/cups-pk-helper-mechanism handles the dbus changes for
printers, for testing, just ensuring system-config-printer can
disable and enable a printer.

Testing shortly.
Comment 2 Dave Hodgins 2012-10-26 04:21:49 CEST
Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
cups-pk-helper-0.2.1-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated cups-pk-helper package fixes security vulnerability:

cups-pk-helper, a PolicyKit helper to configure CUPS with fine-grained
privileges, wraps CUPS function calls in an insecure way. This could lead to
uploading sensitive data to a CUPS resource, or overwriting specific files
with the content of a CUPS resource. The user would have to explicitly
approve the action (CVE-2012-4510).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4510
http://www.debian.org/security/2012/dsa-2562

https://bugs.mageia.org/show_bug.cgi?id=7895
Comment 3 Thomas Backlund 2012-10-29 00:57:18 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0310

Note You need to log in before you can comment on or make changes to this bug.