here's my attempt to fix CVE-2012-5519:

http://n1.nux.se/work/cups-1.5.4-0.1.mbs2.src.rpm

(still untested)

cups-1.5.4-1.mga2 has been submitted to mga2 updates_testing (r328151)

Seems to work to me. Use the PoC from debian as of:

https://bugzilla.redhat.com/show_bug.cgi?id=875898
https://bugzilla.redhat.com/attachment.cgi?id=643673

Thanks Oden!

Advisory:
========================

Updated cups packages fix security vulnerability:

CUPS stores the web interface administrator key in /var/run/cups/certs/0 using
certain permissions, which allows local users in the lpadmin group to read or
write arbitrary files as root by leveraging the web interface (CVE-2012-5519).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519
http://www.ubuntu.com/usn/usn-1654-1/
========================

Updated packages in core/updates_testing:
========================
cups-1.5.4-1.mga2
cups-common-1.5.4-1.mga2
libcups2-1.5.4-1.mga2
libcups2-devel-1.5.4-1.mga2
cups-serial-1.5.4-1.mga2
php-cups-1.5.4-1.mga2

from cups-1.5.4-1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO => (none)

Possible PoC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791

Better link.. http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=cups_exploit;att=1;bug=692791

Testing complete on Mageia 2 i586 and x86-64.  Once the linewrap is removed
from the poc, and the user added to the lpadmin group, before the update,
the content of /etc/shadow is shown. After the update, there is no output.
The /etc/cupsd.conf file still get's overwritten, but without providing
access to other files.

Could someone from the sysadmin team push the srpm
cups-1.5.4-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated cups packages fix security vulnerability:

CUPS stores the web interface administrator key in /var/run/cups/certs/0 using
certain permissions, which allows local users in the lpadmin group to read or
write arbitrary files as root by leveraging the web interface (CVE-2012-5519).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519
http://www.ubuntu.com/usn/usn-1654-1/

https://bugs.mageia.org/show_bug.cgi?id=8318

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0359

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Changes for cups for this checked into Mageia 1 SVN.

I couldn't get the PoC to work to test it though, it gives me a 404.

Run the PoC again.

Gives a 404 before or after the update.

I meant, run the PoC twice. Had this behaviour on mes5.

Something was really wrong with my test VM, so I made a new one.

PoC works both before and after the update :O

Hmm, the PoC probably worked after because of the changes to cupsd.conf by the PoC before the update.  I restored the cupsd.conf and tried again, and the PoC now gives a 404 after the update.

This update brings printing problems :
The printer stops printing in the middle of a page and eject this page...
with default driver
when changing driver : no printing at all ! the page is just skipped !

Suppress the printer, reinstall a "new" printer, choose the default driver
Same result !

This update is buggy !!! or not compatible with the previous drivers...

I removed the updated packages cups cups-common and libcups2 version 1.5.4-1 and reinstalled version 1.5.2-5.1  
The printing is fine again !

My config :

Mageia2 up to date

Printer Canon i850 (usb port)
driver: Canon i850 - CUPS+Gutenprint v5.2.7

Status: RESOLVED => REOPENED
CC: (none) => philippedidier
Resolution: FIXED => (none)

NB I use Mageia2 on my everyday work computer...

Today I add to print lots of pages of an account book... I have spent 2 hours to understand that it was not :
 a page format problem
 a libreoffice problem
 a printer configuration problem
but a buggy updated rpm problem

I am familiar with Mandrake Mandriva Mageia and I knew 
where to search (cups)
how to remove rpms without their dependancies
 how to reinstall the previous version 
how to configure again the printer


If Mageia wants to be a good distribution for ordinary users that is not true in this particular case ! (that's the first time I get problems with an update ...)

the test was indeed weak  : did anybody try to print anything before pushing these rpms ?! 
the testing time was indeed to short :
I couldn't even test the update when it was in update_testing (knowing that it could be wrong) it was pushed very early... so I was confident to the testers !

Now the problem is : there's a buggy update in the update repository ...
an usual user won't be able to downgrade !

What the hell can be done to correct this ?

Yes ! it's a little harsh ... sorry !
but I'm a little angry to have wasted time ... and to imagine what kind of problems this will induce...
Be serious !

Even if I really love the Mageia communauty spirit, I really think of letting Mageia and switch to Debian !

The code used to fix this came from the upstream CUPS developers and is also in Mandriva, Fedora, and Ubuntu.  I understand your frustration, but one bug is no reason to do something rash, especially when there hasn't been a chance to fix it.

Note that I also backported Mandriva's fix for CUPS 1.4 to Mageia 1 and built it locally, and printing still works just fine for me.  It's possible this is an issue that won't affect all users.

Also, not to take a shot at Debian, but one thing we (the security and QA teams) have learned through this process, is that Debian has released multiple broken updates themselves over the course of the past year.  Frankly we have a better track record with this than they do.  We have a process in place to prevent it, but nothing can guarantee perfection.

For this security issue cups was updated from 1.5.2 to 1.5.4, which could be
the cause of this problem. The cups USB driver changed between these versions,
for example. The security patch is about admin access to the config files, so
should not affect printing itself.

Hi David !
Sorry for my anger ... but it was not oriented against you !
Now it's calmed down.

I know that a distribution can't be bug-free.

You can print on your backported cups 1.4 that means that you test it !!!

The problem with this issue is that cups 1.5.4 seems to have been tested only for the security problem inside Mageia2... 

the srpm is backported from Mageia3 where it may work inside the Mageia3 context (drivers, printer-setting program etc...) 

The update_testing repo is a real good idea ... if it is used for this purpose for enough time :
 I sometimes test rpms in this repo, knowing that I'm testing, and knowing how to downgrade when the update is not OK !

There, I couldn't even test cups which staid less than 24 hours in the update_testing repo ! 

That error may be considered as a warning for QA

You're welcome to formally join the QA team.  There's an IRC channel #mageia-qa and a mailing list qa-discuss@ml.mageia.org (also qa-bugs).  There's documentation on the Wiki for it.

It's a delicate balance between thorough testing and timeliness when it's for a major security update, as this was.  For security updates that involve a patch, it's usually sufficient to test the issue itself if possible, but as this was a version update, perhaps we should have taken more time.

Printing still works fine for me and 5 days after the push you are the first to find fault with the update Philippe, so I think this must be a specific issue with your specific setup.

There is no hardware testing lab with banks of printers to test with, and neither is that our intention. Mageia is a community distro and as such, relies on the community to report issues such as this and act in their own interest to prevent it.

Realistically, we will never be able to test cups on any printers we don't have within the team and even then it will likely be only the people testing the security update who check it is OK with their printer. There are thousands of different printers available and there is no way on this earth for us to test with each of them.

As David has suggested, if you wish assist with QA you are more than welcome to do so. We are a small team with a high workload. Angrily throwing stones from the outside will not achieve the result you want it to.

Security updates are obviously always given a high priority, with the aim of releasing them as soon as possible. If you'd like to ensure future cups updates will work on your specific hardware, the best way to do so is to test them before they are released. As part of the QA team you will be able to do just that, so please consider it.

A possible fix was submitted in r331722 (cups-1.5.4-1.1.mga2, core/updates_testing). Please test.

Hi Claire
Hi Christian

First apologize for English not being my original language and not so fluent to prevent me from using words that may offend.

Secondly I was really angry when wasting so much time to print things that were ready for this. (usually I keep my work until last day in case it needs some last minute corrections... printing is just a routine : I launch it and have nothing else to do on a sunday afternoon !) and my post were certainly too harsh!

I don't mean throwing stones, I know you are busy, and I do respect the work you do.
 I do my own little part for the community, (work on packaging as I can, test rpms in update_testing, test isos, file bugs report, propose patches ...)

In this case:

I don't ask QA team to test whatever printer exists...

I understand that security issues are a priority

 but in this particular situation the security issue was not corrected by a single patch on a working mga2 version ... but with a backported  mageia3 version (the prudence to open backport repository has good reasons..)

As Christian pointed it, the cups USB driver has changed from version 1.5.2 to 1.5.4 ... that's certainly the reason why I got this problem (and other owners of usb connected printer will certainly have)

what happened here  must be considered as a bell ringing as a warning, not only for QA team but for maintainers too ! 

The emergency of a security update oriented the test on the security part of this rpm update, leading to omit to test the functionality of the rpm...
There were two things to test and the second was omitted... 

I do test packages that are important for me, that I use, that I know well, (that's my contribution to QA team) when they appear in update_testing... (I look quite everyday at http://mageia.madb.org/tools/updates)

cups is absolutely one of these important rpms that I would have tested if it had staid more than few hours in update_testing (knowing that it could bring problems I can search for them, and downgrade if necessary)


The paradox is that I have been so confident in your work for months that today I  spent so much time to search what I might myself have done wrong, before thinking it was perhaps an update problem you wouldn't have detected !

If you perceive the implicit, it's the contrary of throwing stones... 
You see ?

That's the first time something wrong could go through your good screening !
Let's try to understand why , and if there's a way to prevent this (perhaps maintainers must warn QA team when an update is both a security correction and a version update)

Regards
Philippe

(In reply to comment #23)
> A possible fix was submitted in r331722 (cups-1.5.4-1.1.mga2,
> core/updates_testing). Please test.

Thanks Oden...

I will of course test it !
Knowing what may appear :) and that I must downgrade if necessary ;(

philippe

Thanks Oden 
And congratulations \°/
The fix is OK!
usb-backend-reset-after-job-only-for-specific-devices.patch solved this !!!
;)
(where did you find it? )

This update doesn't bring anymore the printing problem that I encountered.

I installed it 
test printing OK
change the driver
test printing OK

I stopped and reboot 
Test printing OK
changed driver
test printing OK

All the printing tests were done
 with the system-config-printer default test page, 
and from openoffice, 
from kwrite,
 from gimp (using gutenprint), 
and  from firefox

MGA32-OK for me (with a usb printer canon i850 ...)!

I hope that you Oden, and the  QA team (Claire particularly) won't be too much worried by my harsh angry posts...

:-(
Sorry 
I can be bad tempered even if I try to cure this.

Regards
and many thanks for your job

philippe

USB and network printing with the released update worked fine for me Philippe.

We are not cups QA team, we are Mageia QA team. Nobody here is an employee and nobody has any special hardware to test with, we are all in exactly the same position as you are and volunteer our time and resources to make Mageia as stable and reliable as we possibly can. I realise you have had a frustrating day. It is equally frustrating for us, having done so, to be on the receiving end of your angry and demanding posts. Please bear that in mind when you next post to bugzilla.

Given that it worked fine for Dave Hodgins and worked fine for me too and that 5 days after the update you are the only one to report an issue, I don't see how QA could possibly perform any better doing testing on your behalf.

As said previously, the best way to ensure your specific hardware configuration is fully supported is to involve yourself and test with it.

With the new package (thankyou Oden) your hardware appears to work, but would you say that you are now in a position to categorically state that all hardware will work, just because yours does??

We now need to show that the new cups package supports your hardware on mga2 64 too before it can be pushed so we will await your feedback on that, then test it works on ours too. 

Other than that I'm really not sure what you are expecting QA to be able to do!?

We can't generally expect users to be able to confirm their bugs are fixed on both arches, as most users only use one.  Since he was able to confirm it fixes his issue, I think QA should be able to validate it as long as no regressions are found.

(In reply to comment #26)
> Thanks Oden 
> And congratulations \°/
> The fix is OK!
> usb-backend-reset-after-job-only-for-specific-devices.patch solved this !!!
> ;)
> (where did you find it? )

With google "cups-1.5.4 Canon i850" -> debian/ubuntu bug > upstream bug -> fix by Till Kamppeter (former mandriva employee) -> cups-1.5.4-1.1.mga2.

Not bad resolution time, and on a sunday night as well, right?

Keywords: (none) => validated_update
Component: RPM Packages => Security
Summary: Broken support for some USB printers (Previously: cups new security issue CVE-2012-5519) => cups new security issue CVE-2012-5519
Whiteboard: MGA2-32-OK => MGA2-64-OK MGA2-32-OK
Severity: normal => critical

Hi Oden !

Thanks again ! for having so quickly jumped onto the problem, found a solution, applied it, and proposed it...

I crawled a little inside the arcana of cups bugs 

So the 1.5.4 version from cups team  was not completely tested... and didn't correct a bug that appeared with 1.5.3 version  :(   The proposed patch is not yet merged 

For Mageia
We know now that this patch is necessary for this 1.5.4 version... until it is merged upstream ... someday (not yet in 1.6.0 no more, which is said to be the actual stable version )

And we know now, having tested it on Mageia2, that it must be added into cauldron too... at least to allow a canon i850 usb printer to work with a 32 bits system :)

But, when I look at bug reports inside cups, I discover that this patch corrects this bug for several Canon inkjet printers, and Xerox, and Samsung 
and Brother and NEC and Epson... :( ???
so this bug report may be useful to other people than me ...




to Claire

I really, really apologize !
Maybe next time I'll try to get more quiet before sending a bug report !

We are surely not cups QA testers ! but in this particular case we became... unwillingly...

I would have preferred that this version 1.5.4 had been tested in Cauldron before being backported to Mageia2 (cauldron users have more skill for bug reports and upstream bug reports ...) to solve a security problem inside 1.5.2 version... 

I would have preferred, too, that before providing this version, cups dev have corrected known pending bugs (they may test this with more printers than a distribution team !!! because their work is supposed to concern printers... and Apple can use some of its profits to sponsor it :
<<CUPS is the standards-based, open source printing system developed by Apple Inc. for OS® X and other UNIX®-like operating systems.>>  



I have only one computer, for daily professional use... on which I have only Mageia32 bits installed.
I can't use it with a side by side install of a 64 bits Mageia2
I can absolutely not dare to use cauldron on this computer (I cumulated 20 years of precious professional work, even if I use backup and backup and backup I don't want to loose it)

So definitely I can't be a good QA team member !

I can only test what I can and what I know. and when I know it has to be tested ! and say it's OK for me ! or it's wrong for me...

I had not to print until today : my last print job was on last sunday ... and today I was stuck with lots of pages half printed... useless.

Fortunately I'm prudent :

I usually always do this :
For years I have not blindly clicked on Mandriva update or Mageia update (I use it as a warning telling me new updates are coming)
For years I have always used a dedicated directory in wich I download the updated rpms.
For years I test these updates, and downgrade the rpms if they bring more bugs than they correct. dragging them in a "bad updates" directory to remember not to use them.

I always consider that a QA is a good filter, but I know, too, that some special hardware can't brings its own problem, or that some associated softwares can bring some incoherence... I always do my own tests and fill bug reports when they appear.

I never asked you to test for my own behalf ! I know you can't !

In today's context : I (naively?) didn't test this cups update (lack of time, too much confidence because I never got problem with previous updates) and first imagined that I did big mistakes in my spreasheets, looking for them without any success... using backups to look where they might have appeared first. 

Nevertheless the bug I reported is similar to some bugs reported on other distributions, the patch added by Oden was used by other distributions, and cups devs mean to merge it !

this corrected update might satisfy other people than me...

non exhaustive list of usb printers that may be affected with bugs 
in cups 1.5.4 :

(reported in ubuntu, fedora, slackware, archlinux... both 32 and 64 bits)
- Xerox Phaser 3124 
most of canon usb inkjet printers
- Canon MP500 
- Canon MP510 
- Canon MP550 
- Canon MP560 
- Canon IP2600
- Canon IP3000
- Canon IP3300
- Canon IP4200
- Canon IP4300
- Canon i560
- Canon i850
- Canon Pixma MP 280
- Brother HL-1430 
- Oki Okipage 14ex 
- Oki B410d 
- All Zebra printers
- All Samsung devices
- Seiko Epson Receipt Printer M129C
- NEC Picty800 (HP OEM)
- Kyocera Mita FS 820
- Brother HL-1440 Laser Printer
- NEC Picty800 

They may be tested in Mageia2 with cups update from core_update repo ... 1.5.4-1
and then tested with cups update from core_update_testing repo 1.5.4-1.1


Same test may be done in Cauldron with cups 1.5.4

For Oden 
the patch seems to have been merged in 1.6.1 version (not in 1.6.0)

on French forum 
with Mageia2
 printing problems are appearing for samsung and canon printers...


I just added a link to this bug report inside the forum for each thread !
But I'm 
not sure that every user can read English
not sure that they have a bugzilla account
not sure that they will add update_testing repo to test

We just need to wait they answer on the forum

Philippe

Still working fine here mga2 64 usb & network

Validating

Advisory: 

This update adds a patch to correct printing problems with some USB connected printers in cups 1.5.4.


SRPM: cups-1.5.4-1.1.mga2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2-32-OK => MGA2-32-OK mga2-64-OK

Thanks Claire ...

And apologizes again !!!

There seems to be something wrong in cups roadmap :(
cups 1.5.2 worked quite well but was replaced by cups 1.5.3 cups and then 1.5.4 who brought this problem with USB connected printers
cups 1.5.4 is no more maintained except for security issues

patches for USB were provided in distributions (ubuntu fedora) but there won't be a 1.5.5 version with these patches merged

the new stable release is 1.6.*
the patch for USB problem was not merged for cups 1.6.0
it has been merged for 1.6.1 
but this new 1.6.1 version brings so much new bugs that packagers from Ubuntu warn not to use it!

<CUPS 1.6 has major incompatible changes. Do not use CUPS 1.6.1 on stable Ubuntu releases >

So Maintainers and QA team have to do what they can for their distribution !!!

and have to receive angry reports...

Moving to CUPS 1.6 will be a ton of work that will affect many other things in the distro.  It's unlikely to happen for Mageia 3 even.  I posted a message to mageia-dev early this year about the things that need to be done for it.  See if you can find it :o)

Hi ! David 

It seems you were and you are still right (just seeing what happens for Ubuntu or Fedora, with 1.6.0 and 1.6.1 version)

And that you're even right in the case of simply updating from 1.5.2 to 1.5.4 

For information : on the French forum a user had printing problems with a Canon PIXMA MG5150 too, since last update of cups (from 1.5.2 to 1.5.4-1)

He just tried the three 5.1.4-1.1 rpms from update_testing : the problem is corrected for him too!
Unfortunately he is using a 32bits Mageia2.


That means : as soon as the next Live DVD beta1 iso is downloadable I will test the printing system : Cauldron comes with cups 1.5.4 too :-(  

Having a sensible printer I will be a good guinea pig  :)
and I promise to be less harsh ;)   

But, certainly, some other patches will be needed (the USB problem was not the only one appearing when updating from 1.5.2 to 1.5.4 in other distributions) 


thanks 
Best regards to all of you
Philippe

Sysadmin, please see comment 33 for push details.

Thanks.

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0244

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Thanks to Oden

http://svnweb.mageia.org/packages?view=revision&revision=333330

This bug will not appear neither more in Cauldron nor in Mageia3, after having
been corrected in Mageia2 :)

Never ending bug report about cups 1.5.4 :-(   :

perhaps new needed patches for other printers :
http://www.cups.org/str.php?L4191
http://www.cups.org/str.php?L4217

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Fixed in r335824 (mga2, updates_testing, cups-1.5.4-1.2.mga2).

This is supposed to fix printing for the following printers:

Canon, Inc. PIXMA iP4200
Canon, Inc. PIXMA iP4300
Canon, Inc. MP500
Canon, Inc. MP510
Canon, Inc. MP550
Canon, Inc. MP560
Brother Industries, Ltd, HL-1430 Laser Printer
Brother Industries, Ltd, HL-1440 Laser Printer
Oki Data Corp. Okipage 14ex Printer
Oki Data Corp. B410d
Xerox Phaser 3124
All Zebra devices

Additionally a patch was added to fix printing from newer apple devices.

References:
http://www.cups.org/str.php?L4155
http://www.cups.org/str.php?L4191
http://www.cups.org/str.php?L4217
https://bugs.launchpad.net/bugs/711779

Please understand I do NOT have access to any of these devices so I cannot verify if cups-1.5.4-1.2.mga2 fixes or breaks anything.

Oh, cups-1.5.4-1.2.mga2 also fixes https://bugs.mageia.org/show_bug.cgi?id=8507

Thanks Again Oden !

I tested these rpms 1.5.4-1.2 from updates_testing on Mageia2 32 bits

I only can say there's no regression since last 1.5.4-1.1 :

My Canon i850 which revealed first the problem when updating from 1.5.2 to 1.5.4 in Mageia2, works always correctly with this new update

I don't have any printer from the list ... I can't test them better than you :-(

Bug 8507 would have appeared in extremly rare situation : freshly installed Mageia2 from a live cd or live dvd, with update repos accepted for urpmi, before installing the print system... nevertheless it's a good idea to add this correction.

NB : these patches must be added for Cauldron too !

Indeed we can get two lessons about cups from this :
- As far as possible try to add security patches to the working version in stable release (that would have meant : add security patches to cups 1.5.2 inside Mageia2)
- the cups developement roadmap is a forward running without looking backward nor on the sides (in French we say "après nous le déluge") every distributions has to add patches and patches and patches or update to a new version with these patches merged and discover then  new bugs needing new patches !


So to summarize :
update validated for Mageia2 32 bits, with a USB Canon printer 
(with patches needing to be applied in Cauldron since they have been tested on Mageia2)

the Advisory may be what you wrote:

1) This is supposed to fix printing for the following printers:

Canon, Inc. PIXMA iP4200
Canon, Inc. PIXMA iP4300
Canon, Inc. MP500
Canon, Inc. MP510
Canon, Inc. MP550
Canon, Inc. MP560
Brother Industries, Ltd, HL-1430 Laser Printer
Brother Industries, Ltd, HL-1440 Laser Printer
Oki Data Corp. Okipage 14ex Printer
Oki Data Corp. B410d
Xerox Phaser 3124
All Zebra devices

Additionally a patch was added to fix printing from newer apple devices.

and 

2) This corrects an error in the %post script which prevented cups service to be enabled after a fresh install

Still appears fine here mga2 64 so validating again.

Advisory
--------
This further update for cups should correct possible printing problems with the following printers following the update to cups 1.5.4

Canon, Inc. PIXMA iP4200
Canon, Inc. PIXMA iP4300
Canon, Inc. MP500
Canon, Inc. MP510
Canon, Inc. MP550
Canon, Inc. MP560
Brother Industries, Ltd, HL-1430 Laser Printer
Brother Industries, Ltd, HL-1440 Laser Printer
Oki Data Corp. Okipage 14ex Printer
Oki Data Corp. B410d
Xerox Phaser 3124
All Zebra devices

Additionally, patches have been added to fix printing from newer apple devices and to correct an error in the %post script which prevented the cups service from starting when freshly installed.

References:
http://www.cups.org/str.php?L4155
http://www.cups.org/str.php?L4191
http://www.cups.org/str.php?L4217
https://bugs.launchpad.net/bugs/711779
https://bugs.mageia.org/show_bug.cgi?id=8318
https://bugs.mageia.org/show_bug.cgi?id=8507
-----------------------

SRPM: cups-1.5.4-1.2.mga2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Hardware: i586 => All
Whiteboard: MGA2-32-OK => MGA2-32-OK mga2-64-OK

Dropping validation for another security fix...

CVE advisory:

During the process of CUPS socket activation code refactoring in favour
of systemd capability a security flaw was found in the way CUPS service
honoured Listen localhost:631 cupsd.conf configuration option. The setting
was recognized properly for IPv4-enabled systems, but failed to be correctly
applied for IPv6-enabled systems. As a result, a remote attacker could use
this flaw to obtain (unauthorized) access to the CUPS web-based administration
interface. (CVE-2012-6094)

The fix for now is to not enable IP-based systemd socket activation by default.


References:
http://seclists.org/oss-sec/2013/q1/16
https://bugzilla.novell.com/show_bug.cgi?id=795624
https://bugzilla.redhat.com/show_bug.cgi?id=891942



cups-1.5.4-1.3.mga2 sent to mga2 core/updates_testing

cups-1.5.4-7.mga3 sent to cauldron core/release

Keywords: validated_update => (none)
Whiteboard: MGA2-32-OK mga2-64-OK => (none)

Only change is this:
http://svnweb.mageia.org/packages/updates/2/cups/current/SOURCES/cups-systemd-socket.patch?r1=339325&r2=339324&pathrev=339325

 diff -up cups-1.5.0/data/cups.socket.in.systemd-socket cups-1.5.0/data/cups.socket.in
 --- cups-1.5.0/data/cups.socket.in.systemd-socket	2012-01-17 16:22:39.878857111 +0000
 +++ cups-1.5.0/data/cups.socket.in	2012-01-17 16:22:39.878857111 +0000
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,8 @@
 +[Unit]
 +Description=CUPS Printing Service Sockets
 +
 +[Socket]
 +ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
-+ListenStream=631
-+ListenDatagram=0.0.0.0:631
-+BindIPv6Only=ipv6-only
 +
 +[Install]
 +WantedBy=sockets.target

This is getting silly.

Can we please confirm there are no other changes needed before we do this again.

No, since things change all the time :-)

Sorry Claire, but I thought this security fix was important enough...

No more fixes for now that I'm know off.

The simple test for the additional CVE "fix" is to check:

/lib/systemd/system/cups.socket

and verify that theese tree lines are not there anymore:

ListenStream=631
ListenDatagram=0.0.0.0:631
BindIPv6Only=ipv6-only

*** Bug 8600 has been marked as a duplicate of this bug. ***

Testing complete mga2 64

Oden :P

Those lines are not there with the update applied, thanks.

Service starts/stops ok, web interface ok (http://localhost:631). Local/remote printers found ok. Printing OK.

Philippe (or anyone) can you check mga2 32 please, then it can be validated
again.

Whiteboard: (none) => has_procedure mga2-64-OK

Oops ! cups overflowing again ! ;-)

Thanks to Thomas Oden and Claire ... with a deep compassion for you, having to face this opened Pandora's jar !

OK on Mageia2 32bits  updating from :
cups-1.5.4-1.2.mga2 
cups-common-1.5.4-1.2.mga2 
libcups-1.5.4-1.2.mga2 
to :
cups-1.5.4-1.3.mga2 
cups-common-1.5.4-1.3.mga2 
libcups-1.5.4-1.3.mga2 

verifying
/lib/systemd/system/cups.socket

these tree lines are not there anymore:

ListenStream=631
ListenDatagram=0.0.0.0:631
BindIPv6Only=ipv6-only

So, temporarily :
Validated for me... no regression (there couldn't be any)

See you soon ;-)
Philippe

Validating

Advisory
--------
CVE advisory:

During the process of CUPS socket activation code refactoring in favour
of systemd capability a security flaw was found in the way CUPS service
honoured Listen localhost:631 cupsd.conf configuration option. The setting
was recognized properly for IPv4-enabled systems, but failed to be correctly
applied for IPv6-enabled systems. As a result, a remote attacker could use
this flaw to obtain (unauthorized) access to the CUPS web-based administration
interface. (CVE-2012-6094)

The fix for now is to not enable IP-based systemd socket activation by default.


References:
http://seclists.org/oss-sec/2013/q1/16
https://bugzilla.novell.com/show_bug.cgi?id=795624
https://bugzilla.redhat.com/show_bug.cgi?id=891942


Further, this update should correct possible printing problems with the
following printers since the update to cups 1.5.4

Canon, Inc. PIXMA iP4200
Canon, Inc. PIXMA iP4300
Canon, Inc. MP500
Canon, Inc. MP510
Canon, Inc. MP550
Canon, Inc. MP560
Brother Industries, Ltd, HL-1430 Laser Printer
Brother Industries, Ltd, HL-1440 Laser Printer
Oki Data Corp. Okipage 14ex Printer
Oki Data Corp. B410d
Xerox Phaser 3124
All Zebra devices

Additionally, patches have been added to fix printing from newer apple devices
and to correct an error in the %post script which prevented the cups service
from starting when freshly installed.

References:
http://www.cups.org/str.php?L4155
http://www.cups.org/str.php?L4191
http://www.cups.org/str.php?L4217
https://bugs.launchpad.net/bugs/711779
https://bugs.mageia.org/show_bug.cgi?id=8318
https://bugs.mageia.org/show_bug.cgi?id=8507
-----------------------

Please push cups-1.5.4-1.3.mga2 from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0004

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED