https://bugzilla.novell.com/show_bug.cgi?id=447444 User krahmer@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=447444#c5 Sebastian Krahmer <krahmer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|krahmer@novell.com |vuntz@novell.com --- Comment #5 from Sebastian Krahmer <krahmer@novell.com> 2009-03-30 03:54:33 MDT --- Eventually, I found some time to finish this. The code itself has good quality and I dont see any problems with it like overflows, races or alike. However, the security of our cups setup in future will depend very much on the configuration of the PolicyKit rules for cups and its helpers. If you allow user to add stuff to cups config w/o requiring admin password you are probably toast. This is since I see inlining problems here which you probably cant filter out all. This is due to the internal parsing of CUPS' config-files inside cups itself. config-files are parsed line by line, by reading in a buffer of 1024 (or HTTPMAX_BUFFER, depending whether it reads config or printers file etc.) bytes. For cups after this chunk a new line begins. No matter of \n. So imagine if you submit a config-tag that has junk until 1024th byte, you can add a "Include" or any other evil option to it which will receive cups-config-parser like it was entered in a new line. So, in effect, even though you corretly filter out \n characters via g_ascii_isprint(), you have the chance to 'fake' cups a newline and arbitrary config-options. If you can do this as user you can trick it to load evil filters, obtaining root privs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.