Bug 33278 - cups: Privilege Escalation
cups: Privilege Escalation
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.0
Other Linux
: P3 normal (vote)
: UCS 4.0
Assigned To: Felix Botner
Janek Walkenhorst
: interim-3
Depends on:
  Show dependency treegraph
Reported: 2013-11-12 11:10 CET by Moritz Muehlenhoff
Modified: 2014-11-26 06:55 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2013-11-12 11:10:30 CET
+++ This bug was initially created as a clone of Bug #29197 +++

Mitglieder der Gruppe lpadmin können über das Cups-Webinterface Root-Rechte
erlangen (CVE-2012-5519)

The group is empty by default, so this should only affect special UCS setups.

The fix provided in http://www.debian.org/security/2013/dsa-2600 is not directly applicable to UCS: 

It splits some configuration options from /etc/cups/cupsd.conf into a separate cups-files.conf, which can can be edited by root. We would need to modify that in the UCR templates, which should rather be done for 3.2

The patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791#46 is another alternative; is disallows editing of /etc/cups/cupsd.conf from the web interface (which trashes the setting written from the template, so it's the better fix anyway).
Comment 1 Moritz Muehlenhoff univentionstaff 2014-07-15 07:50:00 CEST
This will be fixed in 4.0 when we update the UCR templates for CUPS to the new version in Wheezy.
Comment 2 Felix Botner univentionstaff 2014-10-16 10:52:51 CEST
Update config (cupsd.conf, cups-files.conf, cups-pdf.conf)files.
Comment 3 Janek Walkenhorst univentionstaff 2014-11-11 16:43:54 CET
OK: only cupsd.conf editable.
Changelog: OK
Comment 4 Stefan Gohmann univentionstaff 2014-11-26 06:55:01 CET
UCS 4.0-0 has been released:

If this error occurs again, please use "Clone This Bug".