Bug#394835: marked as done (cupsys-client: cupsaddsmb leaks password information to everybody)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 28 Oct 2006 19:26:37 -0300
with message-id <20061028222637.GA25842@khazad-dum.debian.net>
and subject line This is fixed in Sid and Etch
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cupsys-client: cupsaddsmb leaks password information to everybody
• From: Alexander Achenbach <xela@slit.de>
• Date: Mon, 23 Oct 2006 13:46:23 +0200
• Message-id: <[🔎] E1GbyG7-0000OH-UO@th.physik.uni-frankfurt.de>

Package: cupsys-client
Version: 1.1.23-10sarge1
Severity: grave
Tags: security
Justification: user security hole


Hi.

I just noticed that command 'cupsaddsmb' uses

    smbclient -U'USER%PASSWORD'

to establish a connection to the SMB server. This command line is
visible to everybody on the system running 'cupsaddsmb', meaning
that the password can easily be copied by an average user and used
for malicious manipulations of printer drivers later installed via
Samba printing services.

I'd suggest that 'cupsaddsmb' use smbclient's -A option to pass
authentication information to smbclient in a secure way.
Alternatively, process environment ($PASSWD) may also be an option.

Cheers,
Alex

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages cupsys-client depends on:
ii  adduser               3.63               Add and remove users and groups
ii  libc6                 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii  libcupsys2-gnutls10   1.1.23-10sarge1    Common UNIX Printing System(tm) - 
ii  zlib1g                1:1.2.2-4.sarge.2  compression library - runtime

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 394835-done@bugs.debian.org
• Subject: This is fixed in Sid and Etch
• From: Henrique de Moraes Holschuh <hmh@debian.org>
• Date: Sat, 28 Oct 2006 19:26:37 -0300
• Message-id: <20061028222637.GA25842@khazad-dum.debian.net>

Version: 1.2.4-2

CUPS 1.2.4-2 and 1.2.5-1 doesn't have this problem (from a look at the
source code in cups/adminutil.c) and uses an authfile instead of the command
line to pass password information.

I am doing a versioned close for Etch and Sid.  If someone knows the exact
version of CUPS that fixed this issue, please do a more strict versioned
close.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

--- End Message ---