DSA 566-1: New CUPS packages fix information leak
Posted on: 10/14/2004 04:24 PM

New CUPS packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 566-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
October 14th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : cupsys
Vulnerability : unsanitised input
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0923
CERT advisory : VU#557062

An information leak has been detected in CUPS, the Common UNIX Printing System, which may lead to the disclosure of sensitive information, such as user names and passwords which are written into log files.

The used patch only eliminates the authentication information in the device URI which is logged in the error_log file. It does not eliminate the URI from the environment and process table, which is why the CUPS developers recommend that system administrators do not code authentication information in device URIs in the first place.

For the stable distribution (woody) this problem has been fixed in version 1.1.14-5woody7.

For the unstable distribution (sid) this problem has been fixed in version 1.1.20final+rc1-9.

We recommend that you upgrade your CUPS package.

Upgrade Instructions
---------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
---------------------------------

Source archives:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7.dsc
Size/MD5 checksum: 710 cc64cacbd7546a5609d78f47dbcd0e78
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7.diff.gz
Size/MD5 checksum: 39147 90020c9ccf4c20d75545d2b9fc804f12
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14.orig.tar.gz
Size/MD5 checksum: 6150756 0dfa41f29fa73e7744903b2471d2ca2f

Alpha architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_alpha.deb
Size/MD5 checksum: 1899802 4f68d49c505e401ec65c45fc89baaef0
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_alpha.deb
Size/MD5 checksum: 74186 87538022f3f049de24a67524f6b6e374
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_alpha.deb
Size/MD5 checksum: 92828 a97dec155e925386ec24723825fb821b
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_alpha.deb
Size/MD5 checksum: 2445680 b0ee9dc5e73ab807fc4befa4f62ed2e4
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_alpha.deb
Size/MD5 checksum: 137850 4c95ecf39a123d7fc2b20a11471478d4
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_alpha.deb
Size/MD5 checksum: 180786 1daecceb7cfdce5a2715ae10cd227c0d

ARM architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_arm.deb
Size/MD5 checksum: 1821486 8e7f3aca59e978f96d5d85ed7d9b132c
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_arm.deb
Size/MD5 checksum: 68322 6cb0d1d79e7c630e62a316f9991d04c6
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_arm.deb
Size/MD5 checksum: 85500 303f4eb613479f112c84f496190c9b72
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_arm.deb
Size/MD5 checksum: 2345676 99216618a594ee5bb5a87c3023428355
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_arm.deb
Size/MD5 checksum: 112826 52e2ea3acbdcfdb3b0182833b5713541
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_arm.deb
Size/MD5 checksum: 150236 b49e83f022a165d4a1c84b757d3f9292

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_i386.deb
Size/MD5 checksum: 1788306 a96f7bf460aa90e3f26e0a0dff99090d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_i386.deb
Size/MD5 checksum: 67852 ee72adda3436557359f244a48088ee5d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_i386.deb
Size/MD5 checksum: 84012 fdcfac62cfdd73d412a82d6f7d4d5659
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_i386.deb
Size/MD5 checksum: 2311820 8fe69ac7ea5cf3fb82f25387a6c3be71
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_i386.deb
Size/MD5 checksum: 110854 3e9c9b1102844a6f82c853682b1c2e77
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_i386.deb
Size/MD5 checksum: 136426 827b43571bfed94ccf6e7dd6d423d1b8

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_ia64.deb
Size/MD5 checksum: 2007756 3a4d0833b9efea469ff3a839ecb699a9
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_ia64.deb
Size/MD5 checksum: 77250 aec887b9d536409c3888be0519b92e4f
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_ia64.deb
Size/MD5 checksum: 96978 b4088ed3cbdf7707e1454761fa737ae7
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_ia64.deb
Size/MD5 checksum: 2656628 3d1c5e6c5d9e690eb365051e2b547a38
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_ia64.deb
Size/MD5 checksum: 155830 c57c5e454626ab01a048ad5e891f1e04
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_ia64.deb
Size/MD5 checksum: 182796 c0392a8c7865cb50d04be0e94652950e

HP Precision architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_hppa.deb
Size/MD5 checksum: 1881442 563a1aa0dd580b6ad3c6c0a2349dca4a
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_hppa.deb
Size/MD5 checksum: 70642 5621e5d9b87d09518989007f56226829
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_hppa.deb
Size/MD5 checksum: 89672 3b0e46f09ddf5729ecf1ff2ffd96e330
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_hppa.deb
Size/MD5 checksum: 2455902 b2cec64fb76c5897e80ae5f1dcac544e
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_hppa.deb
Size/MD5 checksum: 126408 1e2d78fb9ea9ccf33c8795e299c80472
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_hppa.deb
Size/MD5 checksum: 159394 4f3b418889cca6c58a6f43e45f4a850b

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_m68k.deb
Size/MD5 checksum: 1754764 f87db50992018fe8b5de25211b574426
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_m68k.deb
Size/MD5 checksum: 66118 296777959e50722e6b9f9d6faa4cfc1b
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_m68k.deb
Size/MD5 checksum: 81236 32a5503de356745eec4e1c635038fceb
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_m68k.deb
Size/MD5 checksum: 2261258 c019c2ae5fcbd0971f3d2cda8d9e3847
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_m68k.deb
Size/MD5 checksum: 106082 4a9d724f386e377d1fd85fa99889f59a
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_m68k.deb
Size/MD5 checksum: 128650 667a278f8fcb605687c98b23b3f3aafe

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_mips.deb
Size/MD5 checksum: 1811334 a4c2911a2e87d42a1dbc9184ef9c0816
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_mips.deb
Size/MD5 checksum: 67744 413e2cd4d055e0b4c75328cb31ba7fac
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_mips.deb
Size/MD5 checksum: 81192 33d5eea8d3c413e7a99e1124de8fc45a
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_mips.deb
Size/MD5 checksum: 2404494 015fa93177953806525c84386a2d08c8
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_mips.deb
Size/MD5 checksum: 112614 74ee1d6ea3fb489e6a9934000ff458cd
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_mips.deb
Size/MD5 checksum: 151050 93d3f6cf6aa5dff4864020f919628e21

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_mipsel.deb
Size/MD5 checksum: 1811896 beefa067ccaea12fa4d68d5678960c3d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_mipsel.deb
Size/MD5 checksum: 67718 e557c54204935027615e54070022d266
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_mipsel.deb
Size/MD5 checksum: 81200 9261e171865e9b90abe5e3c32b7985c6
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_mipsel.deb
Size/MD5 checksum: 2406850 8c076e85e74f2bb724e8861caf5cbd1a
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_mipsel.deb
Size/MD5 checksum: 112422 899ee72e7435f36443cf2682fd1eedfc
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_mipsel.deb
Size/MD5 checksum: 150868 3ac0b70dd963fd9d691778f3db475e78

PowerPC architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_powerpc.deb
Size/MD5 checksum: 1800310 e91d519ebb667d0fc014197c9fc50bbf
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_powerpc.deb
Size/MD5 checksum: 67750 f612f520350723784e7e412b5c5c6d76
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_powerpc.deb
Size/MD5 checksum: 83326 3d6ac0b7cac6a22b7a8ab35d3284d426
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_powerpc.deb
Size/MD5 checksum: 2359640 b68c2880e24184dd822858ff0f8c2c6c
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_powerpc.deb
Size/MD5 checksum: 116626 965df8a04738453a1be6dcadfb185425
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_powerpc.deb
Size/MD5 checksum: 145072 1f5234bbf22e3d4e87ab83e05c293aee

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_s390.deb
Size/MD5 checksum: 1795398 5fb02f410f015da208095d47dd544225
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_s390.deb
Size/MD5 checksum: 69130 5c18941172e2a104778aa738e77af8e4
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_s390.deb
Size/MD5 checksum: 85850 3426a67e51a4681b509b8c2fb960b36d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_s390.deb
Size/MD5 checksum: 2337448 6e27c255720ee9be9a463155a44a30ab
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_s390.deb
Size/MD5 checksum: 115168 ceb391d9471abff5410adfde83d063c7
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_s390.deb
Size/MD5 checksum: 140690 0123cc8d43645684800913c441572d9a

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_sparc.deb
Size/MD5 checksum: 1845052 2cea12827ac192d5e53aabf6f9d15c0c
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_sparc.deb
Size/MD5 checksum: 70706 4585deca2f2105f00f89fe2a90dc81b5
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_sparc.deb
Size/MD5 checksum: 84132 f81ebff2f338f9c0a847cbc75e465aa6
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_sparc.deb
Size/MD5 checksum: 2354524 a171535afe6b378f471d2b7098538698
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_sparc.deb
Size/MD5 checksum: 120310 9bd1fd569c5727431647a1649e89d2f7
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_sparc.deb
Size/MD5 checksum: 146600 6e5b4f99e8f1e6d2fe09d6037f2d16e1


These files will probably be moved into the stable distribution on its next update.


Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_566_1_new_cups_packages_fix_information_leak.html)