Bugzilla – Bug 601830
VUL-1: cups CSRF
Last modified: 2018-10-19 18:07:23 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. This issue is not public yet, please keep any information about it inside SUSE. Note that build.opensuse.org *cannot* be used to prepare embargoed updates. ------------------------------------------------------------------------------ Date: Fri, 30 Apr 2010 10:10:09 -0700 From: Drew Yao <ayao@apple.com> Subject: [vendor-sec] CVE-2010-0540: CUPS CSRF Hello, We're fixing an issue in CUPS. Our draft description is as follows: ---------------------- CUPS CVE-ID: CVE-2010-0540 Impact: Visiting a maliciously crafted website while logged into the CUPS web interface as an administrator may lead to CUPS being reconfigured Description: A cross-site request forgery issue exists in the CUPS web interface. Visiting a maliciously crafted website while logged into the CUPS web interface as an administrator may lead to CUPS being reconfigured. This issue is addressed by requiring web form submissions to include an unpredictable session token. Credit to Adrian 'pagvac' Pastor of GNUCITIZEN, and Tim Starling for reporting this issue. ---------------------- The CUPS web interface allows you to edit cupsd.conf and manipulate print queues and jobs. If an authenticated administrator visits an attacker's website, the attacker can disable the cupsd process (denial of service), change the cupsd configuration to allow for remote and/or unauthenticated access, access print jobs and other system files, overwrite system files, redirect print jobs to different destinations, and so forth. All versions of CUPS since 1.1.0 are vulnerable to this kind of attack, although remote configuration of cupsd.conf was not introduced until CUPS 1.2.0. This issue is fixed in CUPS 1.4.4. Steps to reproduce: Go to http://localhost:631/admin in your browser Check or uncheck a server setting and click on Change Settings. Enter the name and password for an admin. Open the attached cupscsrf2.html in your browser. Not fixed: Afterwards all the settings in http://localhost:631/admin are checked. Fixed: You'll be redirected to http://localhost:631/admin and no changes were made to the settings. CUPS is tracking this as http://www.cups.org/str.php?L3498 Patches for 1.3 and 1.4 are attached.
Hello, On Fri, 2010-04-30 at 10:10 -0700, Drew Yao wrote: > Hello, > > We're fixing an issue in CUPS. Our draft description is as follows: > > ---------------------- > CUPS > > CVE-ID: CVE-2010-0540 <snip> > Patches for 1.3 and 1.4 are attached. > A problem with the 1.4 patch was uncovered in testing. On the admin page, the "Cancel RSS Subscription" button no longer works. Here is a patch that adds the missing session token. Curiously, the token isn't missing in the localized templates. Thanks, Marc.
Created attachment 369445 [details] rss regression patch ...
It seems this CUPS STR http://www.cups.org/str.php?L3593 is another regression which seems to be fixed via this patch: ---------------------------------------------------------------------------- diff -durN cups-str3498/cgi-bin/var.c cups-CVE-2010-0540/cgi-bin/var.c --- cups-str3498/cgi-bin/var.c 2010-05-28 14:49:56.172012590 +0100 +++ cups-CVE-2010-0540/cgi-bin/var.c 2010-05-28 14:50:12.803012632 +0100 @@ -1210,7 +1210,7 @@ _cupsMD5Append(&md5, (unsigned char *)buffer, (int)strlen(buffer)); _cupsMD5Finish(&md5, sum); - cgiSetCookie(CUPS_SID, httpMD5String(sum, sid), "/", server_name, 0, 0); + cgiSetCookie(CUPS_SID, httpMD5String(sum, sid), "/", NULL, 0, 0); return (cupsGetOption(CUPS_SID, num_cookies, cookies)); } ----------------------------------------------------------------------------
CUPS 1.4.4 is released now. I will submit it to openSUSE:Factory.
Submitted CUPS 1.4.4 to openSUSE:Factory via submitrequest 41699 I did some basic tests and CUPS 1.4.4 works well for me on my openSUSE 11.3 RC 1 (x86_64) system.
Created attachment 370092 [details] CHANGES_IN_CUPS_V1.4.4 FYI: So that you can better decide whether or not to accept submitrequest 41699 Printing/cups -> openSUSE:Factory here the changes in CUPS 1.4.4.
Fixed via CUPS 1.4.4 for openSUSE:Factory / openSUSE 11.3 "maint:planned:update" => nothing else to do for now => lowering priority again
I verified that the regression in comment #8 does not happen for me with CUPS 1.3.9 with fixes for CUPS STR#3498 and CUPS STR#3593 (i.e. the regression in comment #8 really only happens for CUPS 1.4.x).
done
Update released for: cups, cups-client, cups-debuginfo, cups-devel, cups-libs, cups-libs-32bit, cups-libs-64bit, cups-libs-x86 Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: cups, cups-client, cups-debuginfo, cups-debugsource, cups-devel, cups-libs, cups-libs-32bit, cups-libs-x86 Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: cups, cups-client, cups-debuginfo, cups-devel, cups-libs, cups-libs-32bit, cups-libs-64bit, cups-libs-x86 Products: SLE-SAP-APL 10-SP3 (x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
This is an autogenerated message for OBS integration: This bug (601830) was mentioned in https://build.opensuse.org/request/show/41699 Factory / cups https://build.opensuse.org/request/show/53777 11.2:Test / cups