Received: by 2002:ab2:6f44:0:b0:1fd:c486:4f03 with SMTP id l4csp43748lqq;
        Wed, 12 Jun 2024 16:08:00 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXNfkS/NhBK3oJG80MSf2MDZ2Oh4Ymi4vniaPpeoc03uPBguBNzcoo9pSaF++TfOUBlaWodwh0JJD9TMoYNoakhD7xb0rkhWsahfPWVJQ==
X-Google-Smtp-Source: AGHT+IG+t+8okuHwMzA0vZ3LfHGwk7d1DGOUL28wZOhC7WeUa+pldGNKhreE/EHYorIqh3UUPFV7
X-Received: by 2002:a2e:9dca:0:b0:2eb:ef0f:8699 with SMTP id 38308e7fff4ca-2ebfc8e494bmr18949091fa.26.1718233680077;
        Wed, 12 Jun 2024 16:08:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1718233680; cv=none;
        d=google.com; s=arc-20160816;
        b=KiQ7iM3xHQyV2tTO6GIsxvmuTahFxqhKcE92aLewNjtx06WGXThrZq6zy8RwmXoRnn
         qTc75L9s3nb5KUPn4efU3YTIsRx7ZKbThzUWEZd5yT5i5vqYtcxFWJn0PXoM1c8dlltI
         Yf6FMoBCaxkF8oYTvnFIR3tZSbaME9Dq/xgcf3Zd2cXQBFrJs9CDK83fM3DkiYC9zSwf
         06z4VOUh5fSqjjOzYMhuoLO32Kmszan6y6dZ416VDEX3XFnvqsdgqbnf1/Hg4bxuFudW
         IuS1SGbgoJMDG2j+YWm75IyBcto1aP9Bhd2onJ6ORrOHYIMX+D9p5QR2MKuAlMUnAWCp
         q39A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:user-agent:references:message-id:date:from:to:delivered-to
         :delivered-to:reply-to:list-id:list-subscribe:list-unsubscribe
         :list-help:list-post:precedence:mailing-list;
        bh=MGsVZg79L2KZVTo689x3b8itG0b842GLDMNAuEuZc4E=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=PZTcsRl1jT/GwvT3SjWQDKK9OnoE3Dt1i2W10rMqMaAxq88kVZ6KvvzlEqn1sHEkC6
         5CypVE8te5y008bJ/dvHWXDIzfT82vESlf7UkSzt9bPkWHnD+ZUO2j2wxA+pKRSPl4mk
         kgwWbdwC9Q8T0Gl/G94cxP9GP+ipi5ogOFsCky65YffBdYDUXSMrE8INBfV9CVlXvmka
         Rwr0ngZCLefVsLE7jgblBhPSu5ElGpmH2WByEnnD1ONkyBzR4NmxMpaCkl0XtroBH8wa
         dFPirEN1QEcJ9IExyQk7VBDn7z+zpWzxE4lxnoy0DU+b15JyHHyBZPlewRuhlcEHZqdP
         OVMw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30192-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30192-linux.lists.archive=gmail.com@lists.openwall.com";
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <oss-security-return-30192-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id 4fb4d7f45d1cf-57cb747969asi71121a12.676.2024.06.12.16.07.59
        for <linux.lists.archive@gmail.com>;
        Wed, 12 Jun 2024 16:08:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30192-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30192-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30192-linux.lists.archive=gmail.com@lists.openwall.com";
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (qmail 16060 invoked by uid 550); 12 Jun 2024 22:54:58 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 1677 invoked from network); 12 Jun 2024 22:49:43 -0000
X-Injected-Via-Gmane: http://gmane.org/
To: oss-security@lists.openwall.com
From: Tavis Ormandy <taviso@gmail.com>
Date: Wed, 12 Jun 2024 22:49:28 -0000 (UTC)
Message-ID: <v4d8ln$2ut$1@ciao.gmane.io>
References: <28902b9a-3255-4bfe-a3c8-d0e08fb5f426@redhat.com>
User-Agent: slrn/1.0.3 (Linux)
Subject: [oss-security] Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777

On 2024-06-11, Zdenek Dohnal wrote:
>  ???????? Impact
>
> Given that cupsd is often running as root, this can result in the change 
> of permission of any user or system files to be world writable.
>
>
> https://github.com/OpenPrinting/cups/commit/a436956f3
>

This is a pretty confusing description... if we accept the premise that an
attacker can somehow get root to run cupsd with a modified configuration
file (how???), then this patch doesn't seem sufficient. They can still
get root to unlink() an arbitrary file, no?

I guess someone from CUPS has seen a working Ubuntu exploit that did
this, but this really feels like fixing the bug in the wrong place?

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@sdf.org
_\_V _( ) _( )  @taviso