Setuid programs should not be allowed to override default dirs #3482
[Received email directly from reporter...]
From: Ronald Volgers email@example.com
I recently found a security vulnerability in the lppasswd utility which
I'm CC'ing debian security on this as well since I run Debian and have
I will not be publishing this until a fix is released. I'd appreciate it
Please note that I do not have access to an OSX system, so all of my
Hope you find my information of use.
The text was updated successfully, but these errors were encountered:
CUPS.org User: mike
[My response to reporter]
FWIW, lppasswd is no longer installed setuid in CUPS 1.4.x and later making this sort of attack fail out-of-the-box.
For 1.3.x and earlier, plus users that enable the setuid bit on later releases, we can add setuid detection in the cups_env_init function (cups/globals.c) so that the environment variables are not used when the program is run setuid.
--- cups/globals.c (revision 8960)
if ((g->cups_datadir = getenv("CUPS_DATADIR")) == NULL)
--- cups/globals.c (revision 8973)
- g->cups_serverbin = CUPS_SERVERBIN;
--- systemv/lppasswd.c (revision 8973)
- snprintf(passwdnew, sizeof(passwdnew), "%s/passwd.new", root);