On 2024-06-11, Zdenek Dohnal wrote:
> ???????? Impact
>
> Given that cupsd is often running as root, this can result in the change
> of permission of any user or system files to be world writable.
>
>
> https://github.com/OpenPrinting/cups/commit/a436956f3
>
This is a pretty confusing description... if we accept the premise that an
attacker can somehow get root to run cupsd with a modified configuration
file (how???), then this patch doesn't seem sufficient. They can still
get root to unlink() an arbitrary file, no?
I guess someone from CUPS has seen a working Ubuntu exploit that did
this, but this really feels like fixing the bug in the wrong place?
Tavis.
--
_o) $ lynx lock.cmpxchg8b.com
/\\ _o) _o) $ finger [email protected]
_\_V _( ) _( ) @taviso
On 6/13/24 08:49, Tavis Ormandy wrote:
> On 2024-06-11, Zdenek Dohnal wrote:
>> ???????? Impact
>>
>> Given that cupsd is often running as root, this can result in the change
>> of permission of any user or system files to be world writable.
>>
>>
>> https://github.com/OpenPrinting/cups/commit/a436956f3
>>
>
> This is a pretty confusing description... if we accept the premise that an
> attacker can somehow get root to run cupsd with a modified configuration
> file (how???), then this patch doesn't seem sufficient. They can still
> get root to unlink() an arbitrary file, no?
Also with debug printing enabled `DEBUG_printf` does not
save-and-restore `errno` and then does numerous things that can
overwrite it. So presumably the `errno == ENOENT` branch is not reliable
in this scenario.