SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CUPS Vendors:   Easy Software Products
(Fedora Issues Fix for FC2) CUPS Log Files May Disclose User Passwords to Local Users
SecurityTracker Alert ID:  1011546
SecurityTracker URL:  http://securitytracker.com/id/1011546
CVE Reference:   CVE-2004-0923   (Links to External Site)
Date:  Oct 6 2004
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.1.20-11.4
Description:   A vulnerability was reported in CUPS. A local user may be able to view passwords.

Apple reported that a local user may be able to view user passwords (used for authenticating remote print jobs) in the log files for the printing system.

The vendor credits Gary Smith of the IT Services department at Glasgow Caledonian University with reporting this flaw.

[Editor's note: It is not clear if this affects the upstream CUPS version or if it is specific to Apple's configuration.]

Impact:   A local user may be able to view passwords used during printing.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

2cf978560a0914692a66f66abcfdcd29 SRPMS/cups-1.1.20-11.4.src.rpm
396e6013a5b7debc9bcbb8ceaa0c00be x86_64/cups-1.1.20-11.4.x86_64.rpm
d200ceedcdc138960680513c525e648f x86_64/cups-devel-1.1.20-11.4.x86_64.rpm
c94a56b1a2839717c067d08ab91b3dea x86_64/cups-libs-1.1.20-11.4.x86_64.rpm
7751bb200ddd8ee600a8b435d6d6a0d5 x86_64/debug/cups-debuginfo-1.1.20-11.4.x86_64.rpm
aa5ebb1c74839d1c6f249f4187a1eb3d x86_64/cups-libs-1.1.20-11.4.i386.rpm
5e0dbb50222185cfd880661739b128a6 i386/cups-1.1.20-11.4.i386.rpm
b5cdc03daba7e7ce914c99c836fced6d i386/cups-devel-1.1.20-11.4.i386.rpm
aa5ebb1c74839d1c6f249f4187a1eb3d i386/cups-libs-1.1.20-11.4.i386.rpm
58df8018fcb09695166bcb825fa8fc15 i386/debug/cups-debuginfo-1.1.20-11.4.i386.rpm

Vendor URL:  www.cups.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC2

Message History:   This archive entry is a follow-up to the message listed below.
Oct 4 2004 CUPS Log Files May Disclose User Passwords to Local Users



 Source Message Contents

Subject:  [SECURITY] Fedora Core 2 Update: cups-1.1.20-11.4



--===============0242258467==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="AnSJTMMZ92c40QA7"
Content-Disposition: inline


--AnSJTMMZ92c40QA7
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-331
2004-10-05
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : cups
Version     : 1.1.20                     =20
Release     : 11.4                 =20
Summary     : Common Unix Printing System
Description :
The Common UNIX Printing System provides a portable printing layer for
UNIX=EF=BF=BD operating systems. It has been developed by Easy Software Pro=
ducts
to promote a standard printing solution for all UNIX vendors and users.
CUPS provides the System V and Berkeley command-line interfaces.

---------------------------------------------------------------------
Update Information:

This update fixes an information leakage problem when printing to SMB
shares requiring authentication.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0923
to this issue.

---------------------------------------------------------------------
* Tue Oct 05 2004 Tim Waugh <twaugh@redhat.com> 1:1.1.20-11.4

- Apply patch to fix CAN-2004-0923 (bug #134601).


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

2cf978560a0914692a66f66abcfdcd29  SRPMS/cups-1.1.20-11.4.src.rpm
396e6013a5b7debc9bcbb8ceaa0c00be  x86_64/cups-1.1.20-11.4.x86_64.rpm
d200ceedcdc138960680513c525e648f  x86_64/cups-devel-1.1.20-11.4.x86_64.rpm
c94a56b1a2839717c067d08ab91b3dea  x86_64/cups-libs-1.1.20-11.4.x86_64.rpm
7751bb200ddd8ee600a8b435d6d6a0d5  x86_64/debug/cups-debuginfo-1.1.20-11.4.x=
86_64.rpm
aa5ebb1c74839d1c6f249f4187a1eb3d  x86_64/cups-libs-1.1.20-11.4.i386.rpm
5e0dbb50222185cfd880661739b128a6  i386/cups-1.1.20-11.4.i386.rpm
b5cdc03daba7e7ce914c99c836fced6d  i386/cups-devel-1.1.20-11.4.i386.rpm
aa5ebb1c74839d1c6f249f4187a1eb3d  i386/cups-libs-1.1.20-11.4.i386.rpm
58df8018fcb09695166bcb825fa8fc15  i386/debug/cups-debuginfo-1.1.20-11.4.i38=
6.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20
---------------------------------------------------------------------


--AnSJTMMZ92c40QA7
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBYsVwHU/d4jnpWe0RAn1CAJwMETkuBHplJpOA9D9YeYunbTbFOACghpQm
6/ZShyV9gDaE4z3zYoeavfM=
=PEcB
-----END PGP SIGNATURE-----

--AnSJTMMZ92c40QA7--


--===============0242258467==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
--===============0242258467==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC