Bug 795624 - (CVE-2012-6094) CVE-2012-6094: systemd socket activation sometimes breaks cups printing
(CVE-2012-6094)
CVE-2012-6094: systemd socket activation sometimes breaks cups printing
Status: RESOLVED DUPLICATE of bug 857372
Classification: openSUSE
Product: openSUSE 12.2
Classification: openSUSE
Component: Printing
Final
x86-64 openSUSE 12.2
: P5 - None : Major (vote)
: ---
Assigned To: Cristian Rodríguez
Johannes Meixner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-21 11:02 UTC by Bernhard Wiedemann
Modified: 2014-01-30 08:20 UTC (History)
4 users (show)

See Also:
Found By: Community User
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernhard Wiedemann 2012-12-21 11:02:57 UTC
on an IPv6-enabled system with a remote IPP printer,
but a local cups queue
cups sometimes stops printing (after finishing a job?)
keeping new jobs in the queue forever.

netstat -tanp|grep 631
tcp        0      0 127.0.0.1:631       0.0.0.0:*      LISTEN      842/cupsd
tcp        0      0 :::631              :::*           LISTEN      1/init
shows in these cases that init (systemd-44-10.4.1.x86_64) 
is holding the half of the TCP sockets

an rccups restart does not help, but
systemctl stop cups.socket ; rccups restart

made it work, in which case netstat had
tcp        0      0 127.0.0.1:631       0.0.0.0:*      LISTEN      4569/cupsd
tcp        0      0 ::1:631             :::*           LISTEN      4569/cupsd


also possibly a security issue: init is listening on the :: ANY addr
Comment 1 Johannes Meixner 2012-12-21 11:20:50 UTC
I have no knowledge how this systemd feature internally
works and/or how it is actually implemented in CUPS.

It was provided as patch by crrodriguez@opensuse.org,
see the cups RPM changelog entries.
Comment 2 Johannes Meixner 2012-12-21 11:24:15 UTC
What does "cups sometimes stops printing" actually mean?

Does the cupsd somehow "stop" (i.e. no longer work or even crach
or whatever) or gets only the print queue stopped so that
via this one print queue no longer jobs get printed?
Comment 3 Bernhard Wiedemann 2012-12-21 15:33:22 UTC
I could still queue jobs for printing from firefox
and lpq would show them and lprm would delete them,
but they would not start to be actually printed
Comment 4 Frederic Crozat 2013-01-04 11:06:43 UTC
it looks like Fedora folks dropped the IP binding :

http://pkgs.fedoraproject.org/cgit/cups.git/commit/cups-systemd-socket.patch?id=6ef39188975c03f6132a98c8cad20ce80b3d95d9

I've asked some RH people who can access the bug about it..
Comment 5 Frederic Crozat 2013-01-04 11:49:50 UTC
got information from RH folks (they'll see if they can open the bug report):
"My experience with it is that it can't really be made to work well due to the way cupsd handles IPv4 vs IPv6 sockets, so I removed the IP socket activation in Fedora until that can be revisited"

I suggest we do the same, by removing:

ListenStream=631
ListenDatagram=0.0.0.0:631
BindIPv6Only=ipv6-only

from cups.socket
Comment 7 Sebastian Krahmer 2013-01-07 11:25:40 UTC
got CVE-2012-6094
Comment 8 Michal Vyskocil 2013-01-09 15:18:19 UTC
changing assignee to jsmeix, because this has to be fixed in cups package
Comment 9 Johannes Meixner 2013-01-09 15:20:33 UTC
Michal Vyskocil,
did you read my comment#1 ?
Comment 10 Cristian Rodríguez 2013-01-09 15:32:36 UTC
OK.. I will check this one...
Comment 11 Johannes Meixner 2013-01-09 15:47:03 UTC
Cristian Rodríguez,
very many thanks for your contribution!

Right now I have added you as maintainer for the
package cups in the "Printing" project so that
you can directly work on CUPS there.

I have one wish when you work on cups in "Printing":

Have in mind that cups in the Printing project is not only
built for Factory but also for SLE11 SLE11-SP1 SLE11-SP2
and openSUSE 11.4 12.1 12.2 and Tumbleweed.

If you apply changes that are not fully backward compatible
you must implement them in a conditional way in the spec file
only for Factory and/or where it does actually work.
Comment 12 Johannes Meixner 2014-01-30 08:20:35 UTC
I think this issue here is meanwhile obsoleted since
https://bugzilla.novell.com/show_bug.cgi?id=857372#c61
and subsequent comments.

Bernhard Wiedemann,
see in particular
https://bugzilla.novell.com/show_bug.cgi?id=857372#c75
in short:
Please update cups with the cups packages in OBS project "Printing"
and report whether or not it works for you.

*** This bug has been marked as a duplicate of bug 857372 ***