SecurityTracker.com Archives - (Gentoo Issues Fix) CUPS Log Files May Disclose User Passwords to Local Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > CUPS (Common UNIX Printing System)

Vendors: Easy Software Products

(Gentoo Issues Fix) CUPS Log Files May Disclose User Passwords to Local Users

SecurityTracker Alert ID: 1011579

SecurityTracker URL: http://securitytracker.com/id?1011579

CVE Reference: CAN-2004-0923 (Links to External Site)

Date: Oct 9 2004

Impact: Disclosure of authentication information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): prior to 1.1.20-r3

Description: A vulnerability was reported in CUPS. A local user may be able to view passwords.

Apple reported that a local user may be able to view user passwords (used for authenticating remote print jobs) in the log files for the printing system.

The vendor credits Gary Smith of the IT Services department at Glasgow Caledonian University with reporting this flaw.

[Editor's note: It is not clear if this affects the upstream CUPS version or if it is specific to Apple's configuration.]

Impact: A local user may be able to view passwords used during printing.

Solution: Gentoo has released a fix and indicates that all CUPS users should upgrade to the latest version:

# emerge sync

# emerge -pv ">=net-print/cups-1.1.20-r3"
# emerge ">=net-print/cups-1.1.20-r3"

Vendor URL: www.cups.org/ (Links to External Site)

Cause: Access control error

Underlying OS: Linux (Gentoo)

Reported By: Kurt Lieber <klieber@gentoo.org>

Message History: This archive entry is a follow-up to the message listed below.

Oct 4 2004

CUPS Log Files May Disclose User Passwords to Local Users

Source Message Contents

Date: Sat, 9 Oct 2004 13:22:13 +0000
From: Kurt Lieber <klieber@gentoo.org>
Subject: [gentoo-announce] [ GLSA 200410-06 ] CUPS: Leakage of sensitive information

 


--Vl2Kt1BVI5g15hg1
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: CUPS: Leakage of sensitive information
      Date: October 09, 2004
      Bugs: #66501
        ID: 200410-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

CUPS leaks information about user names and passwords when using remote
printing to SMB-shared printers which require authentication.

Background
==========

The Common UNIX Printing System (CUPS) is a cross-platform print
spooler.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /   Vulnerable   /                     Unaffected
    -------------------------------------------------------------------
  1  net-print/cups     <= 1.1.20-r2                     *>= 1.1.20-r3
                        == 1.1.21                         >= 1.1.21-r1

Description
===========

When printing to a SMB-shared printer requiring authentication, CUPS
leaks the user name and password to a logfile.

Impact
======

A local user could gain knowledge of sensitive authentication data.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All CUPS users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=net-print/cups-1.1.20-r3"
    # emerge ">=net-print/cups-1.1.20-r3"

References
==========

  [ 1 ] CAN-2004-0923
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0923

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-06.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

--Vl2Kt1BVI5g15hg1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBZ+YFJPpRNiftIEYRAjp/AJ0QIfvFaBlVs59BgA73zlP23zyjDgCfZxmU
BJ4XJiaORm1/9U7nnvbwYgw=
=Qz0P
-----END PGP SIGNATURE-----

--Vl2Kt1BVI5g15hg1--

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC