Bug#692791: #692791 - CVE-2012-5519 - cups lpadmin-to-root privilege escalation - RedHat solution
Hi all,
as a matter of completeness, here's Tim Waugh's comment from the upstream
tracker [0] on the road taken by Red Hat:
Le jeudi, 14 février 2013 15.48:38, Tim Waugh a écrit :
> FWIW, in Red Hat Enterprise Linux we'll be addressing this differently: all
> options will still be in cupsd.conf but a new option
> "ConfigurationChangeRestriction" will govern checks that are performed on
> new cupsd.conf files that are received via POST. Default value is "all",
> meaning that all changes to security-sensitive options via POST will be
> forbidden. Other options are "none" (prior behaviour) and "root-only"
> (only root-authenticated users may make such changes).
Now that we have released upstream's invasive fix to all our suites, I'm quite
sure it's not worth investigating this alternative idea.
Cheers,
OdyX
[0] https://www.cups.org/str.php?L4223
Reply to: