SecurityTracker.com Archives - (Red Hat Issues Fix) CUPS Log Files May Disclose User Passwords to Local Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > CUPS (Common UNIX Printing System)

Vendors: Easy Software Products

(Red Hat Issues Fix) CUPS Log Files May Disclose User Passwords to Local Users

SecurityTracker Alert ID: 1011904

SecurityTracker URL: http://securitytracker.com/id?1011904

CVE Reference: CAN-2004-0923 (Links to External Site)

Date: Oct 23 2004

Impact: Disclosure of authentication information

Fix Available: Yes Vendor Confirmed: Yes

Description: A vulnerability was reported in CUPS. A local user may be able to view passwords.

Apple reported that a local user may be able to view user passwords (used for authenticating remote print jobs) in the log files for the printing system.

The vendor credits Gary Smith of the IT Services department at Glasgow Caledonian University with reporting this flaw.

[Editor's note: It is not clear if this affects the upstream CUPS version or if it is specific to Apple's configuration.]

Impact: A local user may be able to view passwords used during printing.

Vendor URL: www.cups.org/ (Links to External Site)

Cause: Access control error

Underlying OS: Linux (Red Hat Enterprise)

Reported By: bugzilla@redhat.com

Message History: This archive entry is a follow-up to the message listed below.

Oct 4 2004

CUPS Log Files May Disclose User Passwords to Local Users

Source Message Contents

Date: Fri, 22 Oct 2004 11:13 -0400
From: bugzilla@redhat.com
Subject: [RHSA-2004:543-01] Updated CUPS packages fix security issues

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated CUPS packages fix security issues
Advisory ID:       RHSA-2004:543-01
Issue date:        2004-10-22
Updated on:        2004-10-22
Product:           Red Hat Enterprise Linux
Obsoletes:         RHSA-2004:449
CVE Names:         CAN-2004-0888 CAN-2004-0923
- ---------------------------------------------------------------------

1. Summary:

Updated cups packages that fix denial of service issues, a security
information leak, as well as other various bugs are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

The Common UNIX Printing System (CUPS) is a print spooler.

During a source code audit, Chris Evans discovered a number of integer
overflow bugs that affect xpdf.  CUPS contains a copy of the xpdf code used
for parsing PDF files and is therefore affected by these bugs.  An attacker
who has the ability to send a malicious PDF file to a printer could cause
CUPS to crash or possibly execute arbitrary code.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0888 to this issue.

When set up to print to a shared printer via Samba, CUPS would authenticate
with that shared printer using a username and password.  By default, the
username and password used to connect to the Samba share is written
into the error log file.  A local user who is able to read the error log
file could collect these usernames and passwords.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0923 to this issue.

These updated packages also include a fix that prevents some CUPS
configuration files from being accidentally replaced.

All users of CUPS should upgrade to these updated packages, which
resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

99461 - cups configuration
132034 - mime.types was updated - not copied to mime.types.rpmnew
134599 - CAN-2004-0923 Log file information disclosure
135378 - CAN-2004-0888 xpdf issues affect cups

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cups-1.1.17-13.3.16.src.rpm
5115ddbfb412786152b559c645008d04  cups-1.1.17-13.3.16.src.rpm

i386:
ba0ce8b3a0e6f96f65e805b18abb9710  cups-1.1.17-13.3.16.i386.rpm
15cc19fff26090f2ac2a3ae9fe8edade  cups-devel-1.1.17-13.3.16.i386.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

ia64:
c8b90a470b68b58fed2e82e570f5ee92  cups-1.1.17-13.3.16.ia64.rpm
e6eac12d4a04cc3f2f78d5bcf04b3225  cups-devel-1.1.17-13.3.16.ia64.rpm
ca472cbe2195dbc118ccfbc05644da0f  cups-libs-1.1.17-13.3.16.ia64.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

ppc:
e6c4b39d457d9b9877fe95b6fe1dbec4  cups-1.1.17-13.3.16.ppc.rpm
d7a9f13c7cc6c53322c66548ad8c76de  cups-devel-1.1.17-13.3.16.ppc.rpm
1c0013991559da5dcdff753e0fa29fed  cups-libs-1.1.17-13.3.16.ppc.rpm

ppc64:
2d58c7b4af3581b720c315d4acc88caa  cups-libs-1.1.17-13.3.16.ppc64.rpm

s390:
3f8e4d1f0acb1e63cacb04a31d33be7e  cups-1.1.17-13.3.16.s390.rpm
9f65609293cab71c27bab23b4766e376  cups-devel-1.1.17-13.3.16.s390.rpm
9b3323c103753b3c97ac6543f73113f1  cups-libs-1.1.17-13.3.16.s390.rpm

s390x:
9276fbed4537149de825126e43165244  cups-1.1.17-13.3.16.s390x.rpm
276335bb8d2b6b204ce69c478d708f85  cups-devel-1.1.17-13.3.16.s390x.rpm
56bedea0c9cbabdc50d2f4a1fdf63389  cups-libs-1.1.17-13.3.16.s390x.rpm
9b3323c103753b3c97ac6543f73113f1  cups-libs-1.1.17-13.3.16.s390.rpm

x86_64:
2909c8b13ebabafe4f9832e571452226  cups-1.1.17-13.3.16.x86_64.rpm
351a15fe066f9650c293d91d5edca0d8  cups-devel-1.1.17-13.3.16.x86_64.rpm
d3dddda473fe262daea7770ad1c6b6b2  cups-libs-1.1.17-13.3.16.x86_64.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/cups-1.1.17-13.3.16.src.rpm
5115ddbfb412786152b559c645008d04  cups-1.1.17-13.3.16.src.rpm

i386:
ba0ce8b3a0e6f96f65e805b18abb9710  cups-1.1.17-13.3.16.i386.rpm
15cc19fff26090f2ac2a3ae9fe8edade  cups-devel-1.1.17-13.3.16.i386.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

x86_64:
2909c8b13ebabafe4f9832e571452226  cups-1.1.17-13.3.16.x86_64.rpm
351a15fe066f9650c293d91d5edca0d8  cups-devel-1.1.17-13.3.16.x86_64.rpm
d3dddda473fe262daea7770ad1c6b6b2  cups-libs-1.1.17-13.3.16.x86_64.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cups-1.1.17-13.3.16.src.rpm
5115ddbfb412786152b559c645008d04  cups-1.1.17-13.3.16.src.rpm

i386:
ba0ce8b3a0e6f96f65e805b18abb9710  cups-1.1.17-13.3.16.i386.rpm
15cc19fff26090f2ac2a3ae9fe8edade  cups-devel-1.1.17-13.3.16.i386.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

ia64:
c8b90a470b68b58fed2e82e570f5ee92  cups-1.1.17-13.3.16.ia64.rpm
e6eac12d4a04cc3f2f78d5bcf04b3225  cups-devel-1.1.17-13.3.16.ia64.rpm
ca472cbe2195dbc118ccfbc05644da0f  cups-libs-1.1.17-13.3.16.ia64.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

x86_64:
2909c8b13ebabafe4f9832e571452226  cups-1.1.17-13.3.16.x86_64.rpm
351a15fe066f9650c293d91d5edca0d8  cups-devel-1.1.17-13.3.16.x86_64.rpm
d3dddda473fe262daea7770ad1c6b6b2  cups-libs-1.1.17-13.3.16.x86_64.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cups-1.1.17-13.3.16.src.rpm
5115ddbfb412786152b559c645008d04  cups-1.1.17-13.3.16.src.rpm

i386:
ba0ce8b3a0e6f96f65e805b18abb9710  cups-1.1.17-13.3.16.i386.rpm
15cc19fff26090f2ac2a3ae9fe8edade  cups-devel-1.1.17-13.3.16.i386.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

ia64:
c8b90a470b68b58fed2e82e570f5ee92  cups-1.1.17-13.3.16.ia64.rpm
e6eac12d4a04cc3f2f78d5bcf04b3225  cups-devel-1.1.17-13.3.16.ia64.rpm
ca472cbe2195dbc118ccfbc05644da0f  cups-libs-1.1.17-13.3.16.ia64.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

x86_64:
2909c8b13ebabafe4f9832e571452226  cups-1.1.17-13.3.16.x86_64.rpm
351a15fe066f9650c293d91d5edca0d8  cups-devel-1.1.17-13.3.16.x86_64.rpm
d3dddda473fe262daea7770ad1c6b6b2  cups-libs-1.1.17-13.3.16.x86_64.rpm
f9c322a11ba0b571dd986dac596fe9e3  cups-libs-1.1.17-13.3.16.i386.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key.html#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0923

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBeSOnXlSAg2UNWIIRAlxAAJ9WyDOPr6em8vXIk0SXsIA9NC2MNwCgv7ws
SFXFonpckLShZW9rZb3zjaA=
=QEhf
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC