Bugzilla – Bug 795624
CVE-2012-6094: systemd socket activation sometimes breaks cups printing
Last modified: 2014-01-30 08:20:35 UTC
on an IPv6-enabled system with a remote IPP printer, but a local cups queue cups sometimes stops printing (after finishing a job?) keeping new jobs in the queue forever. netstat -tanp|grep 631 tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 842/cupsd tcp 0 0 :::631 :::* LISTEN 1/init shows in these cases that init (systemd-44-10.4.1.x86_64) is holding the half of the TCP sockets an rccups restart does not help, but systemctl stop cups.socket ; rccups restart made it work, in which case netstat had tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4569/cupsd tcp 0 0 ::1:631 :::* LISTEN 4569/cupsd also possibly a security issue: init is listening on the :: ANY addr
I have no knowledge how this systemd feature internally works and/or how it is actually implemented in CUPS. It was provided as patch by crrodriguez@opensuse.org, see the cups RPM changelog entries.
What does "cups sometimes stops printing" actually mean? Does the cupsd somehow "stop" (i.e. no longer work or even crach or whatever) or gets only the print queue stopped so that via this one print queue no longer jobs get printed?
I could still queue jobs for printing from firefox and lpq would show them and lprm would delete them, but they would not start to be actually printed
it looks like Fedora folks dropped the IP binding : http://pkgs.fedoraproject.org/cgit/cups.git/commit/cups-systemd-socket.patch?id=6ef39188975c03f6132a98c8cad20ce80b3d95d9 I've asked some RH people who can access the bug about it..
got information from RH folks (they'll see if they can open the bug report): "My experience with it is that it can't really be made to work well due to the way cupsd handles IPv4 vs IPv6 sockets, so I removed the IP socket activation in Fedora until that can be revisited" I suggest we do the same, by removing: ListenStream=631 ListenDatagram=0.0.0.0:631 BindIPv6Only=ipv6-only from cups.socket
got CVE-2012-6094
changing assignee to jsmeix, because this has to be fixed in cups package
Michal Vyskocil, did you read my comment#1 ?
OK.. I will check this one...
Cristian Rodríguez, very many thanks for your contribution! Right now I have added you as maintainer for the package cups in the "Printing" project so that you can directly work on CUPS there. I have one wish when you work on cups in "Printing": Have in mind that cups in the Printing project is not only built for Factory but also for SLE11 SLE11-SP1 SLE11-SP2 and openSUSE 11.4 12.1 12.2 and Tumbleweed. If you apply changes that are not fully backward compatible you must implement them in a conditional way in the spec file only for Factory and/or where it does actually work.
I think this issue here is meanwhile obsoleted since https://bugzilla.novell.com/show_bug.cgi?id=857372#c61 and subsequent comments. Bernhard Wiedemann, see in particular https://bugzilla.novell.com/show_bug.cgi?id=857372#c75 in short: Please update cups with the cups packages in OBS project "Printing" and report whether or not it works for you. *** This bug has been marked as a duplicate of bug 857372 ***