(Mandrake Issues Fix) CUPS Log Files May Disclose User Passwords to Local Users
|
|
SecurityTracker Alert ID: 1011886
|
|
SecurityTracker URL: http://securitytracker.com/id?1011886
|
|
CVE Reference: CAN-2004-0923
(Links to External Site)
|
Date: Oct 22 2004
|
Impact: Disclosure of authentication information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: A vulnerability was reported in CUPS. A local user may be able to view passwords.
Apple reported that a local user may be able to view user passwords (used for authenticating remote print jobs) in the log files
for the printing system.
The vendor credits Gary Smith of the IT Services department at Glasgow Caledonian University with reporting
this flaw.
[Editor's note: It is not clear if this affects the upstream CUPS version or if it is specific to Apple's configuration.]
|
Impact: A local user may be able to view passwords used during printing.
|
Solution: Mandrake has released a fix.
Mandrakelinux 10.0:
404f47bf2e48e0fe5e6351fb0a51e482 10.0/RPMS/cups-1.1.20-5.3.100mdk.i586.rpm
7b4b06f845f94a076c7a5e86ac1ebd0f 10.0/RPMS/cups-common-1.1.20-5.3.100mdk.i586.rpm
86c01887240c7dc25eaa0584f6f286e0 10.0/RPMS/cups-serial-1.1.20-5.3.100mdk.i586.rpm
0817ea1f56f41c96361723bd010f08dd 10.0/RPMS/libcups2-1.1.20-5.3.100mdk.i586.rpm
604d96d4fc8d5590310b0dfdaf95c9da 10.0/RPMS/libcups2-devel-1.1.20-5.3.100mdk.i586.rpm
f56a2a9b631ff34c6a2e1a8eb01f3690 10.0/SRPMS/cups-1.1.20-5.3.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
e8e41e0ad06ea13c49aa4097778ef251
amd64/10.0/RPMS/cups-1.1.20-5.3.100mdk.amd64.rpm
2c76ce0c7f6985fd6cedd2b0f6ba0f67 amd64/10.0/RPMS/cups-common-1.1.20-5.3.100mdk.amd64.rpm
0f993cd224e36539c1c9938877850385 amd64/10.0/RPMS/cups-serial-1.1.20-5.3.100mdk.amd64.rpm
ff9d25d91c01c44760aac8d1f7f36f79 amd64/10.0/RPMS/lib64cups2-1.1.20-5.3.100mdk
.amd64.rpm
e72d698c6ac954e51aa05f746bbe9365 amd64/10.0/RPMS/lib64cups2-devel-1.1.20-5.3.100mdk.amd64.rpm
f56a2a9b631ff34c6a2e1a8eb01f3690
amd64/10.0/SRPMS/cups-1.1.20-5.3.100mdk.src.rpm
Corporate Server 2.1:
93ff5afeb1743f9e72ab3307b392b534 corporate/2.1/RPMS/cups-1.1.18-2.5.C21mdk.i586.rpm
b29b8d51b7c0dcca6dc45143d7903cb3 corporate/2.1/RPMS/cups-common-1.1.18-2.5.C21mdk.i586.rpm
5e3c5468ea0ab2fae1aec809daa894de
corporate/2.1/RPMS/cups-serial-1.1.18-2.5.C21mdk.i586.rpm
8faf77a298ac1421bcf6c95c618303ab corporate/2.1/RPMS/libcups1-1.1.18-2.5.C21mdk.i586.rpm
c7ac9f8314bccd7bc4b1104af279e0f1 corporate/2.1/RPMS/libcups1-devel-1.1.18-2.5.C21mdk.i586.rpm
39b6eb02f3df6a8ac7b6ec1d9a0642a4
corporate/2.1/SRPMS/cups-1.1.18-2.5.C21mdk.src.rpm
Corporate Server 2.1/x86_64:
067a8b88cf8c1377c9c6412136fc7d6b x86_64/corporate/2.1/RPMS/cups-1.1.18-2.5.C21mdk.
x86_64.rpm
51a15362e5f756aff3211ad343588487 x86_64/corporate/2.1/RPMS/cups-common-1.1.18-2.5.C21mdk.x86_64.rpm
525f0dc8a7ef4db2ffcbe9b7d2a7d677
x86_64/corporate/2.1/RPMS/cups-serial-1.1.18-2.5.C21mdk.x86_64.rpm
72375896902c44ee2d5d3b3297ff8909 x86_64/corporate/2.1/RPMS/libcups1-1.1.18-2.5.C21mdk.x86_64.rpm
58dd73863448021e52fbd9bf2536e4c1 x86_64/corporate/2.1/RPMS/libcups1-devel-1.1.18-2.5.C21mdk.x86_64.rpm
39b6eb02f3df6a8ac7b6ec1d9a0642a4
x86_64/corporate/2.1/SRPMS/cups-1.1.18-2.5.C21mdk.src.rpm
Mandrakelinux 9.2:
73897a45c5474c390adc09c32c52073e 9.2/RPMS/cups-1.1.19-10.3.92mdk.i586.rpm
35ab026be5795ef537d996dd50b3ec59 9.2/RPMS/cups-common-1.1.19-10.3.92mdk.i586.rpm
34bd630f0656b7eefa331001ebe46d07 9.2/RPMS/cups-serial-1.1.19-10.3.92mdk.i586.rpm
dd362e1edc0774593cbb564d2fcedffb 9.2/RPMS/libcups2-1.1.19-10.3.92mdk.i586.rpm
04119307b9e5e37f36f502f3e299880c 9.2/RPMS/libcups2-devel-1.1.19-10.3.92mdk.i586.rpm
264f7c4310ff0c0bf1166374d49f5ea3 9.2/SRPMS/cups-1.1.19-10.3.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
a5a6317fc35c0c7ec51da2074ea59cdb
amd64/9.2/RPMS/cups-1.1.19-10.3.92mdk.amd64.rpm
2de8b565958236a4cf299967187aaad1 amd64/9.2/RPMS/cups-common-1.1.19-10.3.92mdk.amd64.rpm
944995579621ce5a986459a47924370c amd64/9.2/RPMS/cups-serial-1.1.19-10.3.92mdk.amd64.rpm
82c5aed6ab6c81a8fab48b0bd2997eb7 amd64/9.2/RPMS/lib64cups2-1.1.19-10.3.92mdk.a
md64.rpm
0b99ed51e2b24aac0747334044a5730e amd64/9.2/RPMS/lib64cups2-devel-1.1.19-10.3.92mdk.amd64.rpm
264f7c4310ff0c0bf1166374d49f5ea3
amd64/9.2/SRPMS/cups-1.1.19-10.3.92mdk.src.rpm
Multi Network Firewall 8.2:
8bfd1913756558cac4e58e7e22f2d67f mnf8.2/RPMS/libcups1-1.1.18-2.3.M82mdk.i586.rpm
a47dcb23ef45908945eff6977b4387e2 mnf8.2/SRPMS/cups-1.1.18-2.3.M82mdk.src.rpm
|
Vendor URL: www.cups.org/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Mandrake)
|
Underlying OS Comments: 10.0, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2
|
Reported By: Mandrake Linux Security Team <security@linux-mandrake.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: 22 Oct 2004 03:03:09 -0000
From: Mandrake Linux Security Team <security@linux-mandrake.com>
Subject: [Security Announce] MDKSA-2004:116 - Updated cups packages fix
|
This is a multi-part message in MIME format...
------------=_1098415449-987-4429
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: cups
Advisory ID: MDKSA-2004:116
Date: October 21st, 2004
Affected versions: 10.0, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Chris Evans discovered numerous vulnerabilities in the xpdf package,
which also effect software using embedded xpdf code:
Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0.
Also programs like cups which have embedded versions of xpdf.
These can result in writing an arbitrary byte to an attacker controlled
location which probably could lead to arbitrary code execution.
(CAN-2004-0888)
Also, when CUPS debugging is enabled, device URIs containing username
and password end up in error_log. This information is also visible via
"ps". (CAN-2004-0923)
The updated packages are patched to protect against these
vulnerabilities.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0923
http://www.cups.org/str.php?L920
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
404f47bf2e48e0fe5e6351fb0a51e482 10.0/RPMS/cups-1.1.20-5.3.100mdk.i586.rpm
7b4b06f845f94a076c7a5e86ac1ebd0f 10.0/RPMS/cups-common-1.1.20-5.3.100mdk.i586.rpm
86c01887240c7dc25eaa0584f6f286e0 10.0/RPMS/cups-serial-1.1.20-5.3.100mdk.i586.rpm
0817ea1f56f41c96361723bd010f08dd 10.0/RPMS/libcups2-1.1.20-5.3.100mdk.i586.rpm
604d96d4fc8d5590310b0dfdaf95c9da 10.0/RPMS/libcups2-devel-1.1.20-5.3.100mdk.i586.rpm
f56a2a9b631ff34c6a2e1a8eb01f3690 10.0/SRPMS/cups-1.1.20-5.3.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
e8e41e0ad06ea13c49aa4097778ef251 amd64/10.0/RPMS/cups-1.1.20-5.3.100mdk.amd64.rpm
2c76ce0c7f6985fd6cedd2b0f6ba0f67 amd64/10.0/RPMS/cups-common-1.1.20-5.3.100mdk.amd64.rpm
0f993cd224e36539c1c9938877850385 amd64/10.0/RPMS/cups-serial-1.1.20-5.3.100mdk.amd64.rpm
ff9d25d91c01c44760aac8d1f7f36f79 amd64/10.0/RPMS/lib64cups2-1.1.20-5.3.100mdk.amd64.rpm
e72d698c6ac954e51aa05f746bbe9365 amd64/10.0/RPMS/lib64cups2-devel-1.1.20-5.3.100mdk.amd64.rpm
f56a2a9b631ff34c6a2e1a8eb01f3690 amd64/10.0/SRPMS/cups-1.1.20-5.3.100mdk.src.rpm
Corporate Server 2.1:
93ff5afeb1743f9e72ab3307b392b534 corporate/2.1/RPMS/cups-1.1.18-2.5.C21mdk.i586.rpm
b29b8d51b7c0dcca6dc45143d7903cb3 corporate/2.1/RPMS/cups-common-1.1.18-2.5.C21mdk.i586.rpm
5e3c5468ea0ab2fae1aec809daa894de corporate/2.1/RPMS/cups-serial-1.1.18-2.5.C21mdk.i586.rpm
8faf77a298ac1421bcf6c95c618303ab corporate/2.1/RPMS/libcups1-1.1.18-2.5.C21mdk.i586.rpm
c7ac9f8314bccd7bc4b1104af279e0f1 corporate/2.1/RPMS/libcups1-devel-1.1.18-2.5.C21mdk.i586.rpm
39b6eb02f3df6a8ac7b6ec1d9a0642a4 corporate/2.1/SRPMS/cups-1.1.18-2.5.C21mdk.src.rpm
Corporate Server 2.1/x86_64:
067a8b88cf8c1377c9c6412136fc7d6b x86_64/corporate/2.1/RPMS/cups-1.1.18-2.5.C21mdk.x86_64.rpm
51a15362e5f756aff3211ad343588487 x86_64/corporate/2.1/RPMS/cups-common-1.1.18-2.5.C21mdk.x86_64.rpm
525f0dc8a7ef4db2ffcbe9b7d2a7d677 x86_64/corporate/2.1/RPMS/cups-serial-1.1.18-2.5.C21mdk.x86_64.rpm
72375896902c44ee2d5d3b3297ff8909 x86_64/corporate/2.1/RPMS/libcups1-1.1.18-2.5.C21mdk.x86_64.rpm
58dd73863448021e52fbd9bf2536e4c1 x86_64/corporate/2.1/RPMS/libcups1-devel-1.1.18-2.5.C21mdk.x86_64.
rpm
39b6eb02f3df6a8ac7b6ec1d9a0642a4 x86_64/corporate/2.1/SRPMS/cups-1.1.18-2.5.C21mdk.src.rpm
Mandrakelinux 9.2:
73897a45c5474c390adc09c32c52073e 9.2/RPMS/cups-1.1.19-10.3.92mdk.i586.rpm
35ab026be5795ef537d996dd50b3ec59 9.2/RPMS/cups-common-1.1.19-10.3.92mdk.i586.rpm
34bd630f0656b7eefa331001ebe46d07 9.2/RPMS/cups-serial-1.1.19-10.3.92mdk.i586.rpm
dd362e1edc0774593cbb564d2fcedffb 9.2/RPMS/libcups2-1.1.19-10.3.92mdk.i586.rpm
04119307b9e5e37f36f502f3e299880c 9.2/RPMS/libcups2-devel-1.1.19-10.3.92mdk.i586.rpm
264f7c4310ff0c0bf1166374d49f5ea3 9.2/SRPMS/cups-1.1.19-10.3.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
a5a6317fc35c0c7ec51da2074ea59cdb amd64/9.2/RPMS/cups-1.1.19-10.3.92mdk.amd64.rpm
2de8b565958236a4cf299967187aaad1 amd64/9.2/RPMS/cups-common-1.1.19-10.3.92mdk.amd64.rpm
944995579621ce5a986459a47924370c amd64/9.2/RPMS/cups-serial-1.1.19-10.3.92mdk.amd64.rpm
82c5aed6ab6c81a8fab48b0bd2997eb7 amd64/9.2/RPMS/lib64cups2-1.1.19-10.3.92mdk.amd64.rpm
0b99ed51e2b24aac0747334044a5730e amd64/9.2/RPMS/lib64cups2-devel-1.1.19-10.3.92mdk.amd64.rpm
264f7c4310ff0c0bf1166374d49f5ea3 amd64/9.2/SRPMS/cups-1.1.19-10.3.92mdk.src.rpm
Multi Network Firewall 8.2:
8bfd1913756558cac4e58e7e22f2d67f mnf8.2/RPMS/libcups1-1.1.18-2.3.M82mdk.i586.rpm
a47dcb23ef45908945eff6977b4387e2 mnf8.2/SRPMS/cups-1.1.18-2.3.M82mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFBeHhtmqjQ0CJFipgRApe4AJ49l+Mk3uhuHR/dc9bADAIOOpht2gCg5U26
xs17BzSOHPyi+u4v7h5ciq8=
=kGLV
-----END PGP SIGNATURE-----
------------=_1098415449-987-4429
Content-Type: text/plain; name="message.footer"
Content-Disposition: inline; filename="message.footer"
Content-Transfer-Encoding: 8bit
____________________________________________________
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________
------------=_1098415449-987-4429--
|
|
