[Bug 447444] New: Please audit cups-pk-helper ( shipped in system-config-printer)
https://bugzilla.novell.com/show_bug.cgi?id=447444 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=447444#c3894 Summary: Please audit cups-pk-helper (shipped in system-config- printer) Product: openSUSE 11.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: vuntz@novell.com QAContact: qa@suse.de Blocks: 439286 Found By: --- As requested by Ludwig in bug 439286, here's a bug to get cups-pk-helper audited. I'm sorry this comes so late -- I thought the requirement was known and that something was already going on :/ cups-pk-helper is a small PolicyKit helper that offers a dbus interface to configure cups. There are around 3000 lines of C code (using glib and cups). Various PolicyKit actions are now available, to help with the various configuration needs (eg, configure local printers without a password). Note: please review version 0.0.3 -- old versions don't have some checks for arguments passed over dbus. It's available in GNOME:Factory and waiting for review in the openSUSE:Factory queue (submission #3894). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=447444 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=447444#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Please audit cups-pk-helper (shipped in system- |AUDIT-0: cups-pk-helper |config-printer) | --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2008-11-21 01:05:37 MST --- the audit will quite certainly not be finished in time for 11.1 anymore -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=447444 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=447444 User krahmer@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=447444#c4 Sebastian Krahmer <krahmer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |krahmer@novell.com AssignedTo|security-team@suse.de |krahmer@novell.com --- Comment #4 from Sebastian Krahmer <krahmer@novell.com> 2009-01-26 04:02:47 MST --- will have a look -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=447444 User krahmer@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=447444#c5 Sebastian Krahmer <krahmer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|krahmer@novell.com |vuntz@novell.com --- Comment #5 from Sebastian Krahmer <krahmer@novell.com> 2009-03-30 03:54:33 MDT --- Eventually, I found some time to finish this. The code itself has good quality and I dont see any problems with it like overflows, races or alike. However, the security of our cups setup in future will depend very much on the configuration of the PolicyKit rules for cups and its helpers. If you allow user to add stuff to cups config w/o requiring admin password you are probably toast. This is since I see inlining problems here which you probably cant filter out all. This is due to the internal parsing of CUPS' config-files inside cups itself. config-files are parsed line by line, by reading in a buffer of 1024 (or HTTPMAX_BUFFER, depending whether it reads config or printers file etc.) bytes. For cups after this chunk a new line begins. No matter of \n. So imagine if you submit a config-tag that has junk until 1024th byte, you can add a "Include" or any other evil option to it which will receive cups-config-parser like it was entered in a new line. So, in effect, even though you corretly filter out \n characters via g_ascii_isprint(), you have the chance to 'fake' cups a newline and arbitrary config-options. If you can do this as user you can trick it to load evil filters, obtaining root privs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com