We have CUPS 1.4 nowhere except in my non-official openSUSE
build service project home:jsmeix package cups14plain
so that only CUPS 1.3 and perhaps earlier versions
are of interest here.

"is_maintained -a cups" results the following distributions
where we have the following CUPS versions:

11.1      : cups-1.3.9
sle11     : cups-1.3.9
11.0      : cups-1.3.7

10.3      : cups-1.2.12

sle10-sp2 : cups-1.1.23
sle10-sp3 : cups-1.1.23
sles9     : cups-1.1.20
sles8     : cups-1.1.15

According to
https://bugzilla.novell.com/show_bug.cgi?id=502061#c13
"sles8 is not only in extended maintenance mode
 and only severe bugs are fixed".

Is this bug severe enough to be fixed for SLES8
or can I omit SLES8?

I don't know how severe issues regarding
"Cross-Site Scripting and CRLF injection in HTTP headers"
are in general.

Could I perhaps also omit other distributions?
(Preferably everything which is not CUPS 1.3)

Have in mind that only careless admins would make a cupsd
accessible from untrusted users (nobody lets arbitraty users
print on his printers).

sles8 and 9 as well asl 10.3 can be omitted I think. The other however should be fixed.
XSS issues are bad because usually they allow an attacker to run javascript in the context of another site, thefore allowing him to e.g. steal cookies. The cups web interface runs on every SUSE installation by default. As you can see by clicking on the links in the advisory you don't need to log in as admin to make the injected code appear in cups pages.

Thanks for the info!

Regarding
"cups web interface runs on every SUSE installation by default":

By default since CUPS 1.2 the cupsd listens only
on internal ("localhost") network interfaces
(and a Unix domain socket) via those default
entries in /etc/cups/cupsd.conf for CUPS 1.2:

Listen localhost:631
Listen /var/run/cups/cups.sock

Therefore I think since CUPS 1.2 its web interface
is also not accessible by default from other hosts.

But as far as I remember the CUPS 1.1 (sle10-sp2 sle10-sp3)
cupsd is listening on all interfaces by default.

(In reply to comment #5)
> By default since CUPS 1.2 the cupsd listens only
> on internal ("localhost") network interfaces

Your browser will happily follow links to localhost too :-) The XSS issue is not a threat for the cups server but for users getting redirected there.

score is probably something like AV:N/AC:M/Au:N/C:N/I:P/A:N = 4.3 - medium ie not that urgent

we could fold it into the currently running update though. QA hasn't started yet

Ludwig,
do you know the CUPS STR number (Software Trouble Report)?

It has an URL of the form http://www.cups.org/str.php?L<str#>

It might have been mentioned in whatever mails which
our friendly security team received regarding this issue
and I would like to mention it in the RPM changelog too.


Another question:

I would like to have it fixed for openSUSE 11.2 too
but because according to comment #0 it is
"embargoed until October 27th" I cannot simply
make a usual submitrequest via our public openSUSE
build service.

Therefore the general question:

How to do embargoed security updates for openSUSE 11.2?

More precisely regarding fix for openSUSE 11.2:

I would like to fix it for 11.2 first of all
so that we have it already fixed "in the box"
and don't need to do a security update package.

Created attachment 323419 [details]
cups-1.3.11-CVE-2009-2820.patch

cups-1.3.11-CVE-2009-2820.patch is my working replacement
for patch-1.3v2.patch in attachment #323160 [details]
which does not apply as is (or I don't know
the right special options to let it apply).

Submitted package with the patch to 11.1/cups
but currently I didn't test it at all.

Submitted package with cups-1.3.11-CVE-2009-2820.patch
in attachment #323419 [details]
to SLE11/cups
but currently I didn't test it at all.

(In reply to comment #9)
> Ludwig,
> do you know the CUPS STR number (Software Trouble Report)?

No. The only mail we got was the one in the initial comment of this
bug. Michael Sweet didn't comment either. Apple probably handled
everything internally.

> Therefore the general question:
> How to do embargoed security updates for openSUSE 11.2?

No idea. Maybe it's not possible at all. Getting the fix on the GM
already is basically impossible as well as it would become public then.

Regardless that "is_maintained -a cups" does not show "sle11-sp1"
I like to be on the safe side and therefore I did
"getpac -l -r sle11-sp1 cups" and "submitpac -r sle11-sp1 cups"
with cups-1.3.11-CVE-2009-2820.patch in attachment #323419 [details]
to have it also submitted to SLE11-SP1/cups
but currently I didn't test it at all.

Submitted package with cups-1.3.11-CVE-2009-2820.patch
in attachment #323419 [details]
to 11.0/cups
but currently I didn't test it at all.

For testing I built CUPS 1.3.9 which I had
submitted to SLE11-SP1/cups (see comment #14)
for 11.1-i586 which runs on my workstation
and up to now at least the basic stuff seems
to works well at least for me:

- I set up several local queues with yast2-printer
  and one queeu via the CUPS web frontend to print
  with various drivers to my HP LaserJet 1220 USB printer

- I tested printing to one of our network printers ("bw_2_2_gang")

- I shared my queues to a openSUSE 11.2 RC1 x86_64 system
  and I can print from it

- I tried all the bad test URLs as is in comment #0
  and afet I replaced "lumpysprinter" therein with an
  actually valid queue name on localhost and got no longer
  any bad results (in particular no longer any javascript
  alert popup)

Nevertheless this can be only a very basic quick test
because the patch is quite big and when you look at it
you notice words like e.g. HTTPS and KERBEROS but
I didn't do any test here regarding HTTPS or KERBEROS.

On the other hand all patches source files are
in the cgi-bin source directory which seems to indicate
that in the worst case the patch may only break something
for the CUPS web interface (where everything could also
be done via command line tools as a workaround) but the
patch seems not to change any core CUPS functionality.

It is fixed and submitted for 11.1, sle11, sle11-sp1, and 11.0.

Because of
http://lists.opensuse.org/opensuse-buildservice/2009-10/msg00138.html
"[opensuse-buildservice] openSUSE 10.3 runs out of maintenance"
and because of comment #4 I will omit 10.3
and I will also omit sles9 and sles8.

Therefore only sle10-sp2 and sle10-sp3 must still be fixed now.

Furthermore 11.2, and openSUSE:Factory are left
but those must wait until the issue is published,
see comment #13.

The SWAMPID for this issue is 28175.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/28175)

CRD delayed to nov 2nd
Michael Sweet says cups 1.1 not affected

When CUPS 1.1 is not affected, the whole issue is
luckily fixed already regarding our maintained products,
see comment #3 and comment #17.

When CRD is passed (i.e. when the issue is published),
I will also fix it for 11.2, and openSUSE:Factory
(except someone tells me how I can submit a bugfix
for 11.2 into whatever internal queue so that
we could do QA in advance to have our update packages
ready at the same date when the issue is published).

Reopening and reset assignee to default
for further processing by security-team@suse.de

I'll reject the patchinfos

Re-submitted with the above regression fix to SLE11-SP1/cups.

Re-submitted with the above regression fix to SLE11/cups.

Re-submitted with the above regression fix to 11.1/cups.

Re-submitted with the above regression fix to 11.0/cups.

The issue in now fixed for all affected distributions
which are maintained by me (i.e. what is_maintained shows).
The latter means that it is not yet fixed for Moblin,
see bug 551563.

Reopening and reset assignee to default
for further processing by security-team@suse.de

(In reply to comment #22)
...
> I will also fix it for 11.2, and openSUSE:Factory
> (except someone tells me how I can submit a bugfix
> for 11.2 into whatever internal queue so that
> we could do QA in advance to have our update packages
> ready at the same date when the issue is published).

openSUSE:11.2 ?

Yes, I meant the project openSUSE:11.2 in the
openSUSE build service.
Currently "is_maintained -a cups" does not list anything
regarding "11.2" but I assume our openSUSE 11.2 users
may also like to get it fixed?

(In reply to comment #35)
> Yes, I meant the project openSUSE:11.2 in the
> openSUSE build service.
> Currently "is_maintained -a cups" does not list anything
> regarding "11.2" but I assume our openSUSE 11.2 users
> may also like to get it fixed?

I think so too. Maybe is?maintained is not current, AFAIK you can submit a package for 11.2 and I can prepare the patchinfo file for it too.

The crucial question is whether or not the issue
is meanwhile published so that I can subit fixes for it
to the public accessible project openSUSE:11.2

Ah, the new openess...

It was not announced on cups.org yet, therefore is seems not to be public.

Yes, great new openess but no good plan how to do
embargoed fixes in time there, compare comment #13 :-(

According to comment #21 it should be published
after Nov. 2nd and it might be published first elsewhere
(e.g. in whatever security forum) before it appears
on cups.org so that I would appreciate it if our friendly
security team could tell me when it became published
if you notice that it has become public somewhere.

Regarding comment #14 and comment #29
i.e. regarding my submission to sle11-sp1:

Because "used_sources cups" results
  prod(sle11-sp1),prod(sle11) :
  /mounts/work/SRC/old-versions/sle11/UPDATES/all/cups/cups.spec
there are no new cups sources for sle11-sp1
i.e. sle11-sp1 inherits from sle11.

Therefore my above submission to sle11-sp1
was wrong because it would create a new branch
for cups in sle11-sp1 if it was checked in there.

Therefore I removed it now via
rm -r /work/src/done/SLE11-SP1/cups

Ludwig,
I think you can also remove your
/work/src/done/SLE11-SP1/cups.note

done

new version available from cups.org

Now we know even the CUPS STRS
http://www.cups.org/str.php?L3367
and its regression fix
http://www.cups.org/str.php?L3401
see
http://www.cups.org/articles.php?L590
-------------------------------------------------------------
CUPS 1.4.2 fixes a web interface security issue
...
 * SECURITY: The CUPS web interface was vulnerable
   to several XSS and HTTP header/body attacks
   via attribute injection (STR #3367, STR #3401) 
-------------------------------------------------------------

But up to now there is no fixed CUPS 1.3.x version
(should become CUPS 1.3.12) available.

FYI:

I don't know how security updates are handled
for products within the new openness.

Since it is public, I just submitted it to openSUSE:11.2:

$ osc submitrequest home:jsmeix:branches:openSUSE:11.2 cups openSUSE:11.2 cups
created request id 24137

$ osc request list openSUSE:11.2 cups
 24137  State:new     Creator:jsmeix       When:2009-11-11T11:45:00
        submit:       home:jsmeix:branches:openSUSE:11.2/cups -> openSUSE:11.2

Also submitted to openSUSE:Factory

osc request list openSUSE:Factory cups
 24139  State:new     Creator:jsmeix       When:2009-11-11T11:58:49
        submit:       Printing/cups -> openSUSE:Factory

Update released for: cups, cups-client, cups-debuginfo, cups-debugsource, cups-devel, cups-libs
Products:
openSUSE 11.0 (debug, i386, ppc, ppc64, x86_64)
openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64)

released

Update released for: cups, cups-client, cups-debuginfo, cups-debugsource, cups-devel, cups-libs, cups-libs-32bit, cups-libs-x86
Products:
SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11 (i386, x86_64)
SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)

11.2 was forgotten.

please open a new swamp and submit a 11.2 patchinfo :/

The SWAMPID for this issue is 29353.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/29353)

Update released for: cups, cups-client, cups-client-debuginfo, cups-debuginfo, cups-debugsource, cups-devel, cups-libs, cups-libs-debuginfo
Products:
openSUSE 11.2 (debug, i586, x86_64)

released