Bug 8318 - Broken support for some USB printers & CVE-2012-6094 (Previously: cups new security issue CVE-2012-5519)
: Broken support for some USB printers & CVE-2012-6094 (Previously: cups new se...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: RPM Packages
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/528311/
: has_procedure MGA2-32-OK MGA2-64-OK
: validated_update
: 8507
:
  Show dependency treegraph
 
Reported: 2012-12-07 01:32 CET by David Walser
Modified: 2013-01-06 23:03 CET (History)
10 users (show)

See Also:
Source RPM: cups-1.5.4-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-12-07 01:32:21 CET
Ubuntu has issued an advisory on December 5:
http://www.ubuntu.com/usn/usn-1654-1/

Mageia 2 is also affected.

This is a complicated one and the fix is invasive.

Debian has a reproducer (also attached to the RedHat bug).

More links here:
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5519.html
Comment 1 Oden Eriksson 2012-12-07 13:51:21 CET
here's my attempt to fix CVE-2012-5519:

http://n1.nux.se/work/cups-1.5.4-0.1.mbs2.src.rpm

(still untested)
Comment 2 Oden Eriksson 2012-12-08 11:50:19 CET
cups-1.5.4-1.mga2 has been submitted to mga2 updates_testing (r328151)

Seems to work to me. Use the PoC from debian as of:

https://bugzilla.redhat.com/show_bug.cgi?id=875898
https://bugzilla.redhat.com/attachment.cgi?id=643673
Comment 3 David Walser 2012-12-08 12:50:26 CET
Thanks Oden!

Advisory:
========================

Updated cups packages fix security vulnerability:

CUPS stores the web interface administrator key in /var/run/cups/certs/0 using
certain permissions, which allows local users in the lpadmin group to read or
write arbitrary files as root by leveraging the web interface (CVE-2012-5519).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519
http://www.ubuntu.com/usn/usn-1654-1/
========================

Updated packages in core/updates_testing:
========================
cups-1.5.4-1.mga2
cups-common-1.5.4-1.mga2
libcups2-1.5.4-1.mga2
libcups2-devel-1.5.4-1.mga2
cups-serial-1.5.4-1.mga2
php-cups-1.5.4-1.mga2

from cups-1.5.4-1.mga2.src.rpm
Comment 4 claire robinson 2012-12-08 12:54:56 CET
Possible PoC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791
Comment 6 Dave Hodgins 2012-12-09 00:07:22 CET
Testing complete on Mageia 2 i586 and x86-64.  Once the linewrap is removed
from the poc, and the user added to the lpadmin group, before the update,
the content of /etc/shadow is shown. After the update, there is no output.
The /etc/cupsd.conf file still get's overwritten, but without providing
access to other files.

Could someone from the sysadmin team push the srpm
cups-1.5.4-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated cups packages fix security vulnerability:

CUPS stores the web interface administrator key in /var/run/cups/certs/0 using
certain permissions, which allows local users in the lpadmin group to read or
write arbitrary files as root by leveraging the web interface (CVE-2012-5519).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519
http://www.ubuntu.com/usn/usn-1654-1/

https://bugs.mageia.org/show_bug.cgi?id=8318
Comment 7 Thomas Backlund 2012-12-11 22:25:34 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0359
Comment 8 David Walser 2012-12-12 19:50:49 CET
Changes for cups for this checked into Mageia 1 SVN.

I couldn't get the PoC to work to test it though, it gives me a 404.
Comment 9 Oden Eriksson 2012-12-12 21:35:12 CET
Run the PoC again.
Comment 10 David Walser 2012-12-12 22:24:13 CET
Gives a 404 before or after the update.
Comment 11 Oden Eriksson 2012-12-12 22:29:58 CET
I meant, run the PoC twice. Had this behaviour on mes5.
Comment 12 David Walser 2012-12-12 23:13:52 CET
Something was really wrong with my test VM, so I made a new one.

PoC works both before and after the update :O
Comment 13 David Walser 2012-12-12 23:16:26 CET
Hmm, the PoC probably worked after because of the changes to cupsd.conf by the PoC before the update.  I restored the cupsd.conf and tried again, and the PoC now gives a 404 after the update.
Comment 14 Philippe Didier 2012-12-16 16:49:34 CET
This update brings printing problems :
The printer stops printing in the middle of a page and eject this page...
with default driver
when changing driver : no printing at all ! the page is just skipped !

Suppress the printer, reinstall a "new" printer, choose the default driver
Same result !

This update is buggy !!! or not compatible with the previous drivers...

I removed the updated packages cups cups-common and libcups2 version 1.5.4-1 and reinstalled version 1.5.2-5.1  
The printing is fine again !

My config :

Mageia2 up to date

Printer Canon i850 (usb port)
driver: Canon i850 - CUPS+Gutenprint v5.2.7
Comment 15 Philippe Didier 2012-12-16 17:09:16 CET
NB I use Mageia2 on my everyday work computer...

Today I add to print lots of pages of an account book... I have spent 2 hours to understand that it was not :
 a page format problem
 a libreoffice problem
 a printer configuration problem
but a buggy updated rpm problem

I am familiar with Mandrake Mandriva Mageia and I knew 
where to search (cups)
how to remove rpms without their dependancies
 how to reinstall the previous version 
how to configure again the printer


If Mageia wants to be a good distribution for ordinary users that is not true in this particular case ! (that's the first time I get problems with an update ...)

the test was indeed weak  : did anybody try to print anything before pushing these rpms ?! 
the testing time was indeed to short :
I couldn't even test the update when it was in update_testing (knowing that it could be wrong) it was pushed very early... so I was confident to the testers !

Now the problem is : there's a buggy update in the update repository ...
an usual user won't be able to downgrade !

What the hell can be done to correct this ?
Comment 16 Philippe Didier 2012-12-16 17:16:08 CET
Yes ! it's a little harsh ... sorry !
but I'm a little angry to have wasted time ... and to imagine what kind of problems this will induce...
Be serious !

Even if I really love the Mageia communauty spirit, I really think of letting Mageia and switch to Debian !
Comment 17 David Walser 2012-12-16 17:48:03 CET
The code used to fix this came from the upstream CUPS developers and is also in Mandriva, Fedora, and Ubuntu.  I understand your frustration, but one bug is no reason to do something rash, especially when there hasn't been a chance to fix it.
Comment 18 David Walser 2012-12-16 18:01:59 CET
Note that I also backported Mandriva's fix for CUPS 1.4 to Mageia 1 and built it locally, and printing still works just fine for me.  It's possible this is an issue that won't affect all users.

Also, not to take a shot at Debian, but one thing we (the security and QA teams) have learned through this process, is that Debian has released multiple broken updates themselves over the course of the past year.  Frankly we have a better track record with this than they do.  We have a process in place to prevent it, but nothing can guarantee perfection.
Comment 19 Christiaan Welvaart 2012-12-16 18:10:59 CET
For this security issue cups was updated from 1.5.2 to 1.5.4, which could be
the cause of this problem. The cups USB driver changed between these versions,
for example. The security patch is about admin access to the config files, so
should not affect printing itself.
Comment 20 Philippe Didier 2012-12-16 18:22:21 CET
Hi David !
Sorry for my anger ... but it was not oriented against you !
Now it's calmed down.

I know that a distribution can't be bug-free.

You can print on your backported cups 1.4 that means that you test it !!!

The problem with this issue is that cups 1.5.4 seems to have been tested only for the security problem inside Mageia2... 

the srpm is backported from Mageia3 where it may work inside the Mageia3 context (drivers, printer-setting program etc...) 

The update_testing repo is a real good idea ... if it is used for this purpose for enough time :
 I sometimes test rpms in this repo, knowing that I'm testing, and knowing how to downgrade when the update is not OK !

There, I couldn't even test cups which staid less than 24 hours in the update_testing repo ! 

That error may be considered as a warning for QA
Comment 21 David Walser 2012-12-16 18:27:01 CET
You're welcome to formally join the QA team.  There's an IRC channel #mageia-qa and a mailing list qa-discuss@ml.mageia.org (also qa-bugs).  There's documentation on the Wiki for it.

It's a delicate balance between thorough testing and timeliness when it's for a major security update, as this was.  For security updates that involve a patch, it's usually sufficient to test the issue itself if possible, but as this was a version update, perhaps we should have taken more time.
Comment 22 claire robinson 2012-12-16 19:15:49 CET
Printing still works fine for me and 5 days after the push you are the first to find fault with the update Philippe, so I think this must be a specific issue with your specific setup.

There is no hardware testing lab with banks of printers to test with, and neither is that our intention. Mageia is a community distro and as such, relies on the community to report issues such as this and act in their own interest to prevent it.

Realistically, we will never be able to test cups on any printers we don't have within the team and even then it will likely be only the people testing the security update who check it is OK with their printer. There are thousands of different printers available and there is no way on this earth for us to test with each of them.

As David has suggested, if you wish assist with QA you are more than welcome to do so. We are a small team with a high workload. Angrily throwing stones from the outside will not achieve the result you want it to.

Security updates are obviously always given a high priority, with the aim of releasing them as soon as possible. If you'd like to ensure future cups updates will work on your specific hardware, the best way to do so is to test them before they are released. As part of the QA team you will be able to do just that, so please consider it.
Comment 23 Oden Eriksson 2012-12-16 19:34:48 CET
A possible fix was submitted in r331722 (cups-1.5.4-1.1.mga2, core/updates_testing). Please test.
Comment 24 Philippe Didier 2012-12-16 20:18:05 CET
Hi Claire
Hi Christian

First apologize for English not being my original language and not so fluent to prevent me from using words that may offend.

Secondly I was really angry when wasting so much time to print things that were ready for this. (usually I keep my work until last day in case it needs some last minute corrections... printing is just a routine : I launch it and have nothing else to do on a sunday afternoon !) and my post were certainly too harsh!

I don't mean throwing stones, I know you are busy, and I do respect the work you do.
 I do my own little part for the community, (work on packaging as I can, test rpms in update_testing, test isos, file bugs report, propose patches ...)

In this case:

I don't ask QA team to test whatever printer exists...

I understand that security issues are a priority

 but in this particular situation the security issue was not corrected by a single patch on a working mga2 version ... but with a backported  mageia3 version (the prudence to open backport repository has good reasons..)

As Christian pointed it, the cups USB driver has changed from version 1.5.2 to 1.5.4 ... that's certainly the reason why I got this problem (and other owners of usb connected printer will certainly have)

what happened here  must be considered as a bell ringing as a warning, not only for QA team but for maintainers too ! 

The emergency of a security update oriented the test on the security part of this rpm update, leading to omit to test the functionality of the rpm...
There were two things to test and the second was omitted... 

I do test packages that are important for me, that I use, that I know well, (that's my contribution to QA team) when they appear in update_testing... (I look quite everyday at http://mageia.madb.org/tools/updates)

cups is absolutely one of these important rpms that I would have tested if it had staid more than few hours in update_testing (knowing that it could bring problems I can search for them, and downgrade if necessary)


The paradox is that I have been so confident in your work for months that today I  spent so much time to search what I might myself have done wrong, before thinking it was perhaps an update problem you wouldn't have detected !

If you perceive the implicit, it's the contrary of throwing stones... 
You see ?

That's the first time something wrong could go through your good screening !
Let's try to understand why , and if there's a way to prevent this (perhaps maintainers must warn QA team when an update is both a security correction and a version update)

Regards
Philippe
Comment 25 Philippe Didier 2012-12-16 20:23:03 CET
(In reply to comment #23)
> A possible fix was submitted in r331722 (cups-1.5.4-1.1.mga2,
> core/updates_testing). Please test.

Thanks Oden...

I will of course test it !
Knowing what may appear :) and that I must downgrade if necessary ;(

philippe
Comment 26 Philippe Didier 2012-12-16 21:43:10 CET
Thanks Oden 
And congratulations \°/
The fix is OK!
usb-backend-reset-after-job-only-for-specific-devices.patch solved this !!!
;)
(where did you find it? )

This update doesn't bring anymore the printing problem that I encountered.

I installed it 
test printing OK
change the driver
test printing OK

I stopped and reboot 
Test printing OK
changed driver
test printing OK

All the printing tests were done
 with the system-config-printer default test page, 
and from openoffice, 
from kwrite,
 from gimp (using gutenprint), 
and  from firefox

MGA32-OK for me (with a usb printer canon i850 ...)!

I hope that you Oden, and the  QA team (Claire particularly) won't be too much worried by my harsh angry posts...

:-(
Sorry 
I can be bad tempered even if I try to cure this.

Regards
and many thanks for your job

philippe
Comment 27 claire robinson 2012-12-16 22:34:32 CET
USB and network printing with the released update worked fine for me Philippe.

We are not cups QA team, we are Mageia QA team. Nobody here is an employee and nobody has any special hardware to test with, we are all in exactly the same position as you are and volunteer our time and resources to make Mageia as stable and reliable as we possibly can. I realise you have had a frustrating day. It is equally frustrating for us, having done so, to be on the receiving end of your angry and demanding posts. Please bear that in mind when you next post to bugzilla.

Given that it worked fine for Dave Hodgins and worked fine for me too and that 5 days after the update you are the only one to report an issue, I don't see how QA could possibly perform any better doing testing on your behalf.

As said previously, the best way to ensure your specific hardware configuration is fully supported is to involve yourself and test with it.

With the new package (thankyou Oden) your hardware appears to work, but would you say that you are now in a position to categorically state that all hardware will work, just because yours does??

We now need to show that the new cups package supports your hardware on mga2 64 too before it can be pushed so we will await your feedback on that, then test it works on ours too. 

Other than that I'm really not sure what you are expecting QA to be able to do!?
Comment 28 David Walser 2012-12-16 22:38:51 CET
We can't generally expect users to be able to confirm their bugs are fixed on both arches, as most users only use one.  Since he was able to confirm it fixes his issue, I think QA should be able to validate it as long as no regressions are found.
Comment 29 Oden Eriksson 2012-12-16 22:55:10 CET
(In reply to comment #26)
> Thanks Oden 
> And congratulations \°/
> The fix is OK!
> usb-backend-reset-after-job-only-for-specific-devices.patch solved this !!!
> ;)
> (where did you find it? )

With google "cups-1.5.4 Canon i850" -> debian/ubuntu bug > upstream bug -> fix by Till Kamppeter (former mandriva employee) -> cups-1.5.4-1.1.mga2.

Not bad resolution time, and on a sunday night as well, right?
Comment 30 Philippe Didier 2012-12-17 01:44:21 CET
Hi Oden !

Thanks again ! for having so quickly jumped onto the problem, found a solution, applied it, and proposed it...

I crawled a little inside the arcana of cups bugs 

So the 1.5.4 version from cups team  was not completely tested... and didn't correct a bug that appeared with 1.5.3 version  :(   The proposed patch is not yet merged 

For Mageia
We know now that this patch is necessary for this 1.5.4 version... until it is merged upstream ... someday (not yet in 1.6.0 no more, which is said to be the actual stable version )

And we know now, having tested it on Mageia2, that it must be added into cauldron too... at least to allow a canon i850 usb printer to work with a 32 bits system :)

But, when I look at bug reports inside cups, I discover that this patch corrects this bug for several Canon inkjet printers, and Xerox, and Samsung 
and Brother and NEC and Epson... :( ???
so this bug report may be useful to other people than me ...




to Claire

I really, really apologize !
Maybe next time I'll try to get more quiet before sending a bug report !

We are surely not cups QA testers ! but in this particular case we became... unwillingly...

I would have preferred that this version 1.5.4 had been tested in Cauldron before being backported to Mageia2 (cauldron users have more skill for bug reports and upstream bug reports ...) to solve a security problem inside 1.5.2 version... 

I would have preferred, too, that before providing this version, cups dev have corrected known pending bugs (they may test this with more printers than a distribution team !!! because their work is supposed to concern printers... and Apple can use some of its profits to sponsor it :
<<CUPS is the standards-based, open source printing system developed by Apple Inc. for OS® X and other UNIX®-like operating systems.>>  



I have only one computer, for daily professional use... on which I have only Mageia32 bits installed.
I can't use it with a side by side install of a 64 bits Mageia2
I can absolutely not dare to use cauldron on this computer (I cumulated 20 years of precious professional work, even if I use backup and backup and backup I don't want to loose it)

So definitely I can't be a good QA team member !

I can only test what I can and what I know. and when I know it has to be tested ! and say it's OK for me ! or it's wrong for me...

I had not to print until today : my last print job was on last sunday ... and today I was stuck with lots of pages half printed... useless.

Fortunately I'm prudent :

I usually always do this :
For years I have not blindly clicked on Mandriva update or Mageia update (I use it as a warning telling me new updates are coming)
For years I have always used a dedicated directory in wich I download the updated rpms.
For years I test these updates, and downgrade the rpms if they bring more bugs than they correct. dragging them in a "bad updates" directory to remember not to use them.

I always consider that a QA is a good filter, but I know, too, that some special hardware can't brings its own problem, or that some associated softwares can bring some incoherence... I always do my own tests and fill bug reports when they appear.

I never asked you to test for my own behalf ! I know you can't !

In today's context : I (naively?) didn't test this cups update (lack of time, too much confidence because I never got problem with previous updates) and first imagined that I did big mistakes in my spreasheets, looking for them without any success... using backups to look where they might have appeared first. 

Nevertheless the bug I reported is similar to some bugs reported on other distributions, the patch added by Oden was used by other distributions, and cups devs mean to merge it !

this corrected update might satisfy other people than me...
Comment 31 Philippe Didier 2012-12-17 20:06:10 CET
non exhaustive list of usb printers that may be affected with bugs 
in cups 1.5.4 :

(reported in ubuntu, fedora, slackware, archlinux... both 32 and 64 bits)
- Xerox Phaser 3124 
most of canon usb inkjet printers
- Canon MP500 
- Canon MP510 
- Canon MP550 
- Canon MP560 
- Canon IP2600
- Canon IP3000
- Canon IP3300
- Canon IP4200
- Canon IP4300
- Canon i560
- Canon i850
- Canon Pixma MP 280
- Brother HL-1430 
- Oki Okipage 14ex 
- Oki B410d 
- All Zebra printers
- All Samsung devices
- Seiko Epson Receipt Printer M129C
- NEC Picty800 (HP OEM)
- Kyocera Mita FS 820
- Brother HL-1440 Laser Printer
- NEC Picty800 

They may be tested in Mageia2 with cups update from core_update repo ... 1.5.4-1
and then tested with cups update from core_update_testing repo 1.5.4-1.1


Same test may be done in Cauldron with cups 1.5.4

For Oden 
the patch seems to have been merged in 1.6.1 version (not in 1.6.0)
Comment 32 Philippe Didier 2012-12-18 19:27:42 CET
on French forum 
with Mageia2
 printing problems are appearing for samsung and canon printers...


I just added a link to this bug report inside the forum for each thread !
But I'm 
not sure that every user can read English
not sure that they have a bugzilla account
not sure that they will add update_testing repo to test

We just need to wait they answer on the forum

Philippe
Comment 33 claire robinson 2012-12-19 15:58:13 CET
Still working fine here mga2 64 usb & network

Validating

Advisory: 

This update adds a patch to correct printing problems with some USB connected printers in cups 1.5.4.


SRPM: cups-1.5.4-1.1.mga2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 34 Philippe Didier 2012-12-19 19:52:00 CET
Thanks Claire ...

And apologizes again !!!

There seems to be something wrong in cups roadmap :(
cups 1.5.2 worked quite well but was replaced by cups 1.5.3 cups and then 1.5.4 who brought this problem with USB connected printers
cups 1.5.4 is no more maintained except for security issues

patches for USB were provided in distributions (ubuntu fedora) but there won't be a 1.5.5 version with these patches merged

the new stable release is 1.6.*
the patch for USB problem was not merged for cups 1.6.0
it has been merged for 1.6.1 
but this new 1.6.1 version brings so much new bugs that packagers from Ubuntu warn not to use it!

<CUPS 1.6 has major incompatible changes. Do not use CUPS 1.6.1 on stable Ubuntu releases >

So Maintainers and QA team have to do what they can for their distribution !!!

and have to receive angry reports...
Comment 35 David Walser 2012-12-19 20:20:17 CET
Moving to CUPS 1.6 will be a ton of work that will affect many other things in the distro.  It's unlikely to happen for Mageia 3 even.  I posted a message to mageia-dev early this year about the things that need to be done for it.  See if you can find it :o)
Comment 36 Philippe Didier 2012-12-19 23:31:26 CET
Hi ! David 

It seems you were and you are still right (just seeing what happens for Ubuntu or Fedora, with 1.6.0 and 1.6.1 version)

And that you're even right in the case of simply updating from 1.5.2 to 1.5.4 

For information : on the French forum a user had printing problems with a Canon PIXMA MG5150 too, since last update of cups (from 1.5.2 to 1.5.4-1)

He just tried the three 5.1.4-1.1 rpms from update_testing : the problem is corrected for him too!
Unfortunately he is using a 32bits Mageia2.


That means : as soon as the next Live DVD beta1 iso is downloadable I will test the printing system : Cauldron comes with cups 1.5.4 too :-(  

Having a sensible printer I will be a good guinea pig  :)
and I promise to be less harsh ;)   

But, certainly, some other patches will be needed (the USB problem was not the only one appearing when updating from 1.5.2 to 1.5.4 in other distributions) 


thanks 
Best regards to all of you
Philippe
Comment 37 claire robinson 2012-12-20 09:35:41 CET
Sysadmin, please see comment 33 for push details.

Thanks.
Comment 38 Thomas Backlund 2012-12-20 23:32:08 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0244
Comment 39 Philippe Didier 2012-12-27 14:17:15 CET
Thanks to Oden

http://svnweb.mageia.org/packages?view=revision&revision=333330

This bug will not appear neither more in Cauldron nor in Mageia3, after having
been corrected in Mageia2 :)
Comment 40 Philippe Didier 2012-12-27 14:38:50 CET
Never ending bug report about cups 1.5.4 :-(   :

perhaps new needed patches for other printers :
http://www.cups.org/str.php?L4191
http://www.cups.org/str.php?L4217
Comment 41 Oden Eriksson 2012-12-28 13:56:05 CET
Fixed in r335824 (mga2, updates_testing, cups-1.5.4-1.2.mga2).

This is supposed to fix printing for the following printers:

Canon, Inc. PIXMA iP4200
Canon, Inc. PIXMA iP4300
Canon, Inc. MP500
Canon, Inc. MP510
Canon, Inc. MP550
Canon, Inc. MP560
Brother Industries, Ltd, HL-1430 Laser Printer
Brother Industries, Ltd, HL-1440 Laser Printer
Oki Data Corp. Okipage 14ex Printer
Oki Data Corp. B410d
Xerox Phaser 3124
All Zebra devices

Additionally a patch was added to fix printing from newer apple devices.

References:
http://www.cups.org/str.php?L4155
http://www.cups.org/str.php?L4191
http://www.cups.org/str.php?L4217
https://bugs.launchpad.net/bugs/711779

Please understand I do NOT have access to any of these devices so I cannot verify if cups-1.5.4-1.2.mga2 fixes or breaks anything.
Comment 42 Oden Eriksson 2012-12-28 14:50:58 CET
Oh, cups-1.5.4-1.2.mga2 also fixes https://bugs.mageia.org/show_bug.cgi?id=8507
Comment 43 Philippe Didier 2012-12-28 16:36:03 CET
Thanks Again Oden !

I tested these rpms 1.5.4-1.2 from updates_testing on Mageia2 32 bits

I only can say there's no regression since last 1.5.4-1.1 :

My Canon i850 which revealed first the problem when updating from 1.5.2 to 1.5.4 in Mageia2, works always correctly with this new update

I don't have any printer from the list ... I can't test them better than you :-(

Bug 8507 would have appeared in extremly rare situation : freshly installed Mageia2 from a live cd or live dvd, with update repos accepted for urpmi, before installing the print system... nevertheless it's a good idea to add this correction.

NB : these patches must be added for Cauldron too !

Indeed we can get two lessons about cups from this :
- As far as possible try to add security patches to the working version in stable release (that would have meant : add security patches to cups 1.5.2 inside Mageia2)
- the cups developement roadmap is a forward running without looking backward nor on the sides (in French we say "après nous le déluge") every distributions has to add patches and patches and patches or update to a new version with these patches merged and discover then  new bugs needing new patches !


So to summarize :
update validated for Mageia2 32 bits, with a USB Canon printer 
(with patches needing to be applied in Cauldron since they have been tested on Mageia2)

the Advisory may be what you wrote:

1) This is supposed to fix printing for the following printers:

Canon, Inc. PIXMA iP4200
Canon, Inc. PIXMA iP4300
Canon, Inc. MP500
Canon, Inc. MP510
Canon, Inc. MP550
Canon, Inc. MP560
Brother Industries, Ltd, HL-1430 Laser Printer
Brother Industries, Ltd, HL-1440 Laser Printer
Oki Data Corp. Okipage 14ex Printer
Oki Data Corp. B410d
Xerox Phaser 3124
All Zebra devices

Additionally a patch was added to fix printing from newer apple devices.

and 

2) This corrects an error in the %post script which prevented cups service to be enabled after a fresh install
Comment 44 claire robinson 2013-01-05 15:13:46 CET
Still appears fine here mga2 64 so validating again.

Advisory
--------
This further update for cups should correct possible printing problems with the following printers following the update to cups 1.5.4

Canon, Inc. PIXMA iP4200
Canon, Inc. PIXMA iP4300
Canon, Inc. MP500
Canon, Inc. MP510
Canon, Inc. MP550
Canon, Inc. MP560
Brother Industries, Ltd, HL-1430 Laser Printer
Brother Industries, Ltd, HL-1440 Laser Printer
Oki Data Corp. Okipage 14ex Printer
Oki Data Corp. B410d
Xerox Phaser 3124
All Zebra devices

Additionally, patches have been added to fix printing from newer apple devices and to correct an error in the %post script which prevented the cups service from starting when freshly installed.

References:
http://www.cups.org/str.php?L4155
http://www.cups.org/str.php?L4191
http://www.cups.org/str.php?L4217
https://bugs.launchpad.net/bugs/711779
https://bugs.mageia.org/show_bug.cgi?id=8318
https://bugs.mageia.org/show_bug.cgi?id=8507
-----------------------

SRPM: cups-1.5.4-1.2.mga2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 45 Thomas Backlund 2013-01-05 22:15:16 CET
Dropping validation for another security fix...

CVE advisory:

During the process of CUPS socket activation code refactoring in favour
of systemd capability a security flaw was found in the way CUPS service
honoured Listen localhost:631 cupsd.conf configuration option. The setting
was recognized properly for IPv4-enabled systems, but failed to be correctly
applied for IPv6-enabled systems. As a result, a remote attacker could use
this flaw to obtain (unauthorized) access to the CUPS web-based administration
interface. (CVE-2012-6094)

The fix for now is to not enable IP-based systemd socket activation by default.


References:
http://seclists.org/oss-sec/2013/q1/16
https://bugzilla.novell.com/show_bug.cgi?id=795624
https://bugzilla.redhat.com/show_bug.cgi?id=891942



cups-1.5.4-1.3.mga2 sent to mga2 core/updates_testing

cups-1.5.4-7.mga3 sent to cauldron core/release
Comment 46 Thomas Backlund 2013-01-05 22:18:22 CET
Only change is this:
http://svnweb.mageia.org/packages/updates/2/cups/current/SOURCES/cups-systemd-socket.patch?r1=339325&r2=339324&pathrev=339325

 diff -up cups-1.5.0/data/cups.socket.in.systemd-socket cups-1.5.0/data/cups.socket.in
 --- cups-1.5.0/data/cups.socket.in.systemd-socket	2012-01-17 16:22:39.878857111 +0000
 +++ cups-1.5.0/data/cups.socket.in	2012-01-17 16:22:39.878857111 +0000
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,8 @@
 +[Unit]
 +Description=CUPS Printing Service Sockets
 +
 +[Socket]
 +ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
-+ListenStream=631
-+ListenDatagram=0.0.0.0:631
-+BindIPv6Only=ipv6-only
 +
 +[Install]
 +WantedBy=sockets.target
Comment 47 claire robinson 2013-01-05 22:21:15 CET
This is getting silly.

Can we please confirm there are no other changes needed before we do this again.
Comment 48 Oden Eriksson 2013-01-05 22:45:36 CET
No, since things change all the time :-)
Comment 49 Thomas Backlund 2013-01-05 23:04:11 CET
Sorry Claire, but I thought this security fix was important enough...

No more fixes for now that I'm know off.

The simple test for the additional CVE "fix" is to check:

/lib/systemd/system/cups.socket

and verify that theese tree lines are not there anymore:

ListenStream=631
ListenDatagram=0.0.0.0:631
BindIPv6Only=ipv6-only
Comment 50 David Walser 2013-01-05 23:15:26 CET
*** Bug 8600 has been marked as a duplicate of this bug. ***
Comment 51 claire robinson 2013-01-05 23:21:04 CET
Testing complete mga2 64

Oden :P

Those lines are not there with the update applied, thanks.

Service starts/stops ok, web interface ok (http://localhost:631). Local/remote printers found ok. Printing OK.

Philippe (or anyone) can you check mga2 32 please, then it can be validated
again.
Comment 52 Philippe Didier 2013-01-05 23:49:15 CET
Oops ! cups overflowing again ! ;-)

Thanks to Thomas Oden and Claire ... with a deep compassion for you, having to face this opened Pandora's jar !

OK on Mageia2 32bits  updating from :
cups-1.5.4-1.2.mga2 
cups-common-1.5.4-1.2.mga2 
libcups-1.5.4-1.2.mga2 
to :
cups-1.5.4-1.3.mga2 
cups-common-1.5.4-1.3.mga2 
libcups-1.5.4-1.3.mga2 

verifying
/lib/systemd/system/cups.socket

these tree lines are not there anymore:

ListenStream=631
ListenDatagram=0.0.0.0:631
BindIPv6Only=ipv6-only

So, temporarily :
Validated for me... no regression (there couldn't be any)

See you soon ;-)
Philippe
Comment 53 claire robinson 2013-01-06 17:14:40 CET
Validating

Advisory
--------
CVE advisory:

During the process of CUPS socket activation code refactoring in favour
of systemd capability a security flaw was found in the way CUPS service
honoured Listen localhost:631 cupsd.conf configuration option. The setting
was recognized properly for IPv4-enabled systems, but failed to be correctly
applied for IPv6-enabled systems. As a result, a remote attacker could use
this flaw to obtain (unauthorized) access to the CUPS web-based administration
interface. (CVE-2012-6094)

The fix for now is to not enable IP-based systemd socket activation by default.


References:
http://seclists.org/oss-sec/2013/q1/16
https://bugzilla.novell.com/show_bug.cgi?id=795624
https://bugzilla.redhat.com/show_bug.cgi?id=891942


Further, this update should correct possible printing problems with the
following printers since the update to cups 1.5.4

Canon, Inc. PIXMA iP4200
Canon, Inc. PIXMA iP4300
Canon, Inc. MP500
Canon, Inc. MP510
Canon, Inc. MP550
Canon, Inc. MP560
Brother Industries, Ltd, HL-1430 Laser Printer
Brother Industries, Ltd, HL-1440 Laser Printer
Oki Data Corp. Okipage 14ex Printer
Oki Data Corp. B410d
Xerox Phaser 3124
All Zebra devices

Additionally, patches have been added to fix printing from newer apple devices
and to correct an error in the %post script which prevented the cups service
from starting when freshly installed.

References:
http://www.cups.org/str.php?L4155
http://www.cups.org/str.php?L4191
http://www.cups.org/str.php?L4217
https://bugs.launchpad.net/bugs/711779
https://bugs.mageia.org/show_bug.cgi?id=8318
https://bugs.mageia.org/show_bug.cgi?id=8507
-----------------------

Please push cups-1.5.4-1.3.mga2 from core/updates_testing to core/updates

Thanks!
Comment 54 Thomas Backlund 2013-01-06 23:03:45 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0004

Note You need to log in before you can comment on or make changes to this bug.