Bugzilla – Bug 887240
VUL-1: CVE-2014-3537 CVE-2014-5029 CVE-2014-5030 CVE-2014-5031: cups: insufficient checking leads to privilege escalation
Last modified: 2017-08-02 15:24:53 UTC
CVE-2014-3537 It was discovered that a local user with privileges of group=lp can write symbolic links in the rss directory and use that to gain '@SYSTEM' group privilege with cupsd. Permissions: drwxrwxr-x. 2 root lp 4096 Jul 2 09:58 /var/cache/cups/rss SELinux mitigates this vulnerability References: https://bugzilla.redhat.com/show_bug.cgi?id=1115576 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537
Many thanks for the report! I really appreciate it! "user with privileges of group=lp can ... gain '@SYSTEM' group privilege with cupsd" It nicely proves what I always suspect: When there is no strict separation between normal user accounts and system user accounts, privilege escalation will be possible for normal users. Details and references only FYI: https://bugzilla.novell.com/show_bug.cgi?id=752454#c3 --------------------------------------------------------------------------- ... a user who is allowed to set up a print queue (i.e. who must be allowed to provide a PPD file) can provide a PPD file which runs commands as user "lp" ("lp" is used by CUPS to run filters to process print jobs). Therefore for a non-root user who is allowed to provide a PPD file a privilege escalation is possible. --------------------------------------------------------------------------- https://bugzilla.novell.com/show_bug.cgi?id=789566#c5 --------------------------------------------------------------------------- Many thanks for this example how a user who is allowed to change the cupsd configuration, is basically also allowed to do anything in the system! --------------------------------------------------------------------------- http://lists.opensuse.org/opensuse-factory/2012-05/msg00784.html --------------------------------------------------------------------------- I don't think it is possible that the current default borderline between normal user rights and administrator rights can be moved towards more rights for normal users (towards more convenience) and still keep the system secure. I think if a normal user gets particular administrator rights, it basically means in the end that this normal user gets a more or less complicated way to somehow gain full administrator rights. ... I am not against giving a normal user a particular administrator right but the one who allowes it (usually root) must know that this means he must trust the user who gets the particular administrator right. --------------------------------------------------------------------------- https://bugs.launchpad.net/hplip/+bug/1197416 --------------------------------------------------------------------------- ... add my normal user account to the groups 'sys' and 'lp' but I did not request such a change and I would never ever intend such a change because printing (and scanning on HP all-in-one devices) works without adding normal users to any special group ... It is a security issue to add normal users to system groups ... In general I urgently recommend not to lower existing security settings in a Linux system without first explicit information for the admin (i.e. "root) and then explicit confirmation by the admin of the Linux system. --------------------------------------------------------------------------- https://bugs.launchpad.net/hplip/+bug/1197416/comments/4
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2014-08-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58312
Affected packages: SLE-11-SP3: cups
It seems the current upstream fix in http://www.cups.org/str.php?L4450 is not yet complete, see https://www.cups.org/str.php?L4455
According to https://bugzilla.redhat.com/show_bug.cgi?id=1122600 "CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 cups: Incomplete fix for CVE-2014-3537" it seems Red Hat again created several subsequent CVEs for what is actualy one single issue. To avoid the same confusion and trouble as in bnc#871327 https://bugzilla.novell.com/show_bug.cgi?id=871327#c47 I recommend that we also list all those CVEs here (and in the cups package RPM changelog) so that both for us and for our customers who search for fixed CVEs it is obvious that we have all of them fixed.
SUSE-SU-2014:1022-1: An update that fixes four vulnerabilities is now available. Category: security (low) Bug References: 887240 CVE References: CVE-2014-3537,CVE-2014-5029,CVE-2014-5030,CVE-2014-5031 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): cups-1.3.9-8.46.52.2 SUSE Linux Enterprise Server 11 SP3 for VMware (src): cups-1.3.9-8.46.52.2 SUSE Linux Enterprise Server 11 SP3 (src): cups-1.3.9-8.46.52.2 SUSE Linux Enterprise Desktop 11 SP3 (src): cups-1.3.9-8.46.52.2
SUSE-SU-2014:1023-1: An update that solves one vulnerability and has three fixes is now available. Category: security (low) Bug References: 789566,802408,827109,887240 CVE References: CVE-2014-3537 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): cups-1.3.9-8.46.52.2
was released
Submitted fixed cups package to OBS devel project "Printing" as OBS submitrequest 247228 and forwarded that to openSUSE:Factory as OBS submitrequest 247229
Above submitrequests will be superseded with additional fix for bnc#892587 a regression of bnc#887240
Submitted fixed cups package to OBS devel project "Printing" as OBS submitrequest 247233 and forwarded that to openSUSE:Factory as OBS submitrequest 247234
This is an autogenerated message for OBS integration: This bug (887240) was mentioned in https://build.opensuse.org/request/show/247234 Factory / cups
I'm afraid that these vulnerabilities, namely, CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, and CVE-2014-5031 affect openSUSE 13.1. Actually, the fixes from the upstream, https://cups.org/strfiles.php/3363/str4450.patch https://cups.org/strfiles.php/3371/str4455-1.7.patch are missing in cups-1.5.4-12.20.1.src.rpm.
fixed in current openSUSE versions