Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Setuid programs should not be allowed to override default dirs #3482
[Received email directly from reporter...]
From: Ronald Volgers firstname.lastname@example.org
I recently found a security vulnerability in the lppasswd utility which
I'm CC'ing debian security on this as well since I run Debian and have
I will not be publishing this until a fix is released. I'd appreciate it
Please note that I do not have access to an OSX system, so all of my
Hope you find my information of use.
CUPS.org User: mike
[My response to reporter]
FWIW, lppasswd is no longer installed setuid in CUPS 1.4.x and later making this sort of attack fail out-of-the-box.
For 1.3.x and earlier, plus users that enable the setuid bit on later releases, we can add setuid detection in the cups_env_init function (cups/globals.c) so that the environment variables are not used when the program is run setuid.
--- cups/globals.c (revision 8960)
if ((g->cups_datadir = getenv("CUPS_DATADIR")) == NULL)
--- cups/globals.c (revision 8973)
- g->cups_serverbin = CUPS_SERVERBIN;
--- systemv/lppasswd.c (revision 8973)
- snprintf(passwdnew, sizeof(passwdnew), "%s/passwd.new", root);