Bugzilla – Bug 858462
VUL-0: CVE-2013-6891: cups: info leak via lppasswd
Last modified: 2014-01-14 11:19:00 UTC
CVE-2013-6891 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6891 https://bugzilla.redhat.com/show_bug.cgi?id=1051645 http://www.cups.org/str.php?L4319
Patch: http://www.cups.org/strfiles.php/3230/str4319.patch
bugbot adjusting priority
Are we affected? http://www.cups.org/str.php?L4319 reads ---------------------------------------------------------------------- I have found a vuln in the setuid "lppasswd" binary from recent CUPS versions. Speaking in debian versions, 1.5.3-5+deb7u1 from wheezy is not affected, but 1.6.4-2 from jessie is. ---------------------------------------------------------------------- We have CUPS up to 1.5.4 but we do not provide CUPS >= 1.6
The code in 1.5.4 at least also honors $HOME so its potentially affected. However this only applies to suid files owned by root. If we have suid to lp, this is not an issue as lp user cannot access arbitrary files. Even better to have the suid bit removed entirely. Whats actually the case for us?
openSUSE:13.1: -r-xr-xr-x root root /usr/bin/lppasswd openSUSE:12.3: -r-xr-xr-x root root /usr/bin/lppasswd openSUSE:12.2: -r-xr-xr-x root root /usr/bin/lppasswd openSUSE:12.1: -r-xr-xr-x root root /usr/bin/lppasswd openSUSE:11.4: -r-xr-xr-x root root /usr/bin/lppasswd
As far as I see we are not affected. Accordingly I close the issue as "invalid" which means it is only "invalid" for us as we provide our CUPS packages.