Bug#394835: marked as done (cupsys-client: cupsaddsmb leaks password information to everybody)
Your message dated Sat, 28 Oct 2006 19:26:37 -0300
with message-id <20061028222637.GA25842@khazad-dum.debian.net>
and subject line This is fixed in Sid and Etch
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: cupsys-client
Version: 1.1.23-10sarge1
Severity: grave
Tags: security
Justification: user security hole
Hi.
I just noticed that command 'cupsaddsmb' uses
smbclient -U'USER%PASSWORD'
to establish a connection to the SMB server. This command line is
visible to everybody on the system running 'cupsaddsmb', meaning
that the password can easily be copied by an average user and used
for malicious manipulations of printer drivers later installed via
Samba printing services.
I'd suggest that 'cupsaddsmb' use smbclient's -A option to pass
authentication information to smbclient in a secure way.
Alternatively, process environment ($PASSWD) may also be an option.
Cheers,
Alex
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages cupsys-client depends on:
ii adduser 3.63 Add and remove users and groups
ii libc6 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii libcupsys2-gnutls10 1.1.23-10sarge1 Common UNIX Printing System(tm) -
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- no debconf information
--- End Message ---
--- Begin Message ---
- To: 394835-done@bugs.debian.org
- Subject: This is fixed in Sid and Etch
- From: Henrique de Moraes Holschuh <hmh@debian.org>
- Date: Sat, 28 Oct 2006 19:26:37 -0300
- Message-id: <20061028222637.GA25842@khazad-dum.debian.net>
Version: 1.2.4-2
CUPS 1.2.4-2 and 1.2.5-1 doesn't have this problem (from a look at the
source code in cups/adminutil.c) and uses an authfile instead of the command
line to pass password information.
I am doing a versioned close for Etch and Sid. If someone knows the exact
version of CUPS that fixed this issue, please do a more strict versioned
close.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--- End Message ---
Reply to: