Bug#692791: #692791 - CVE-2012-5519 - cups lpadmin-to-root privilege escalation - RedHat solution

To: 692791@bugs.debian.org
Cc: team@security.debian.org
Subject: Bug#692791: #692791 - CVE-2012-5519 - cups lpadmin-to-root privilege escalation - RedHat solution
From: "Didier 'OdyX' Raboud" <odyx@debian.org>
Date: Thu, 14 Feb 2013 18:28:32 +0100
Message-id: <[🔎] 201302141828.32297.odyx@debian.org>
Reply-to: "Didier 'OdyX' Raboud" <odyx@debian.org>, 692791@bugs.debian.org
In-reply-to: <20130214144838.ED8E53C680EA@dns.easysw.com>
References: <20130214144838.ED8E53C680EA@dns.easysw.com>

Hi all,

as a matter of completeness, here's Tim Waugh's comment from the upstream 
tracker [0] on the road taken by Red Hat:

Le jeudi, 14 février 2013 15.48:38, Tim Waugh a écrit :
> FWIW, in Red Hat Enterprise Linux we'll be addressing this differently: all
> options will still be in cupsd.conf but a new option
> "ConfigurationChangeRestriction" will govern checks that are performed on
> new cupsd.conf files that are received via POST.  Default value is "all",
> meaning that all changes to security-sensitive options via POST will be
> forbidden.  Other options are "none" (prior behaviour) and "root-only"
> (only root-authenticated users may make such changes).

Now that we have released upstream's invasive fix to all our suites, I'm quite 
sure it's not worth investigating this alternative idea.

Cheers,

OdyX

[0] https://www.cups.org/str.php?L4223

Reply to:

Prev by Date: Bug#700132: fixed
Next by Date: Bug#671347: marked as done (cups-lpr disabled after update)
Previous by thread: Bug#700132: fixed
Next by thread: Bug#671347: marked as done (cups-lpr disabled after update)
Index(es):
- Date
- Thread