Bugzilla – Bug 64370
VUL-0: CVE-2004-1270: lppasswd might corrupt cups passwd file
Last modified: 2021-10-27 15:21:52 UTC
We received the following report. The issue is public. The mentioned attachment was not included as we didn't receive the original mail but as upstream apparently was notified they may have it. From djb@cr.yp.to Wed Dec 15 14:23:07 2004 Date: 15 Dec 2004 08:30:45 -0000 From: D. J. Bernstein <djb@cr.yp.to> To: securesoftware@list.cr.yp.to, cups@easysw.com Subject: [local] [kill] CUPS 1.1.22 lppasswd ignores write errors, etc. Bartlomiej Sieka, a student in my Fall 2004 UNIX Security Holes course, has discovered several security problems in how lppasswd, version 1.1.22 (current), edits /usr/local/etc/cups/passwd. I'm publishing this notice, but all the discovery credits should be assigned to Sieka. First, lppasswd blithely ignores write errors in fputs(line,outfile) at lines 311 and 315 of lppasswd.c, and in fprintf(...) at line 346. An attacker who fills up the disk at the right moment can arrange for /usr/local/etc/cups/passwd to be truncated. Second, if lppasswd bumps into a file-size resource limit while writing passwd.new, it leaves passwd.new in place, disabling all subsequent invocations of lppasswd. Any local user can thus disable lppasswd by running the attached program 63.c. Third, line 306 of lppasswd.c prints an error message to stderr but does not exit. This is not a problem on systems that ensure that file descriptors 0, 1, and 2 are open for setuid programs, but it is a problem on other systems; lppasswd does not check that passwd.new is different from stderr, so it ends up writing a user-controlled error message to passwd if the user closes file descriptor 2. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago [ Part 2, Text/PLAIN 43 lines. ] [ Unable to print this part. ]
Created attachment 27214 [details] 63.c
can be handled after xmas break.
====================================================== Candidate: CAN-2004-1268 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1268 Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/cups2.txt lppasswd in CUPS 1.1.22 ignores write errors when modifying the CUPS passwd file, which allows local users to corrupt the file by filling the associated file system and triggering the write errors.
====================================================== Candidate: CAN-2004-1269 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1269 Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/cups2.txt lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail.
====================================================== Candidate: CAN-2004-1270 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1270 Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/cups2.txt lppasswd in CUPS 1.1.22, when run in environments that do not ensure that file descriptors 0, 1, and 2 are open when lppasswd is called, does not verify that the passwd.new file is different from STDERR, which allows local users to control output to passwd.new via certain user input that triggers an error message.
Fixed in: 8.1 (UL1, NLD, SLES8), 8.2, 9.0, 9.1 Not affected: 9.2 and new packages submitted. Not much tested. security-team please handle rest of update process ==> reassigning it
`patchinfo-box.cups' -> `/work/src/done/PATCHINFO/patchinfo-box.cups' `patchinfo-9.2.cups' -> `/work/src/done/PATCHINFO/patchinfo-9.2.cups' `patchinfo.cups' -> `/work/src/done/PATCHINFO/patchinfo.cups'
as root lppasswd -a tux <enter password twice> as tux: ./63 <enter old password> <enter new password twice> ls -la /etc/cups/passwd.new exists lppasswd <enter old password> <enter new password twice> lppasswd: Password file busy! The last message should not appear after the update, /etc/cups/passwd.new should not exist.
the fix is broken. if no /etc/cups/passwd.* is there, lppasswd -a tux does not work. # lppasswd -a tux Enter password: Enter password again: lppasswd: failed to backup old password file: No such file or directory #
Cannot reproduce. :( # rm /etc/cups/passwd.* # lppasswd -a klaus Enter password: Enter password again: # ll /etc/cups/passwd.* 4 -r-------- 1 lp root 43 Jan 27 11:40 /etc/cups/passwd.md5 I tried patches with a SuLi 9.2-i386 (hostname: lavoisier.suse.de) Whats your setup?
happens for instance on sles9 , feel free to use sles9-ppc host "grape".
fixed problem and checked problem. submitted new packages. security-team please handle rest of update process ==> reassigning it.
already submitted fixed patchinfos.
packages approved
CVE-2004-1270: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)