New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Device URIs containning username & password end up in error_log #920
Comments
CUPS.org User: mike I'll work up a cleaner patch for this that doesn't add/use another public API. FWIW, only adding/modifying a printer will expose the unsanitized URI with a default configuration. You need to use LogLevel debug to see the StartJob messages, and those values are always available in the process list which is already a documented issue in the Software Security Report documentation, which is why we tell people not to hardcode usernames and passwords in device URIs... Also, we expose Basic passwords (base64 encoded) in the error_log file at LogLevel debug2. Looks like we'll be doing a 1.1.22 release... :( |
CUPS.org User: jlovell I've been asked to add "We have proposed to "vendor-sec" a release date of this information to be October 11 at 1.00pm Pacific Time. Please contact product-security@apple.com to confirm this date or if you have any questions." Yes, device URIs are still a problem... Sorry for 1.1.22! |
CUPS.org User: mike Do you have an ID number or some other identifier for me to use when I contact them? I think we can do a 1.1.22 release candidate on Tuesday next week, which would mean a final release on the 17th. We won't be treating this as a vulnerability, as the same device URI information has been available via the environment and argv[0](all visible via the "ps" command) and has been documented for a very long time. |
CUPS.org User: jlovell CAN-2004-0923 has been assigned for this issue. |
CUPS.org User: jlovell Can you make sure the release candidate information is made available to vendor-sec@lst.de? They are aware of the issue, but since the "official" CUPS changes are going to be different from ours the people are going to need to build/patch from something. |
CUPS.org User: mike See my attached patch which does not depend on the new httpSeparate3() API. |
CUPS.org User: mike Fixed in CVS - the anonymous CVS repository will be updated at midnight EST. |
CUPS.org User: mike New patch which combines the previous patch with a patch from STR #933 which sanitizes the device URI in argv[0](the environment variable is not sanitized, and will be the only source for authentication information) |
"sanitize.patch": Index: client.cRCS file: /home/anoncvs/cups/scheduler/client.c,v
/*
Index: client.hRCS file: /home/anoncvs/cups/scheduler/client.h,v /*
snprintf(path, sizeof(path), "PATH=%s/filter:/bin:/usr/bin", ServerBin); for (i = 0; i < envc; i ++)
current->current_file ++;
Index: printers.cRCS file: /home/anoncvs/cups/scheduler/printers.c,v
|
"str920.patch": Index: ipp.cRCS file: /development/cvs/cups/scheduler/ipp.c,v
Index: printers.cRCS file: /development/cvs/cups/scheduler/printers.c,v
Index: printers.hRCS file: /development/cvs/cups/scheduler/printers.h,v +extern char *cupsdSanitizeURI(const char *uri, char *buffer,
|
"str_920_933.patch": Index: ipp.cRCS file: /development/cvs/cups/scheduler/ipp.c,v
for (i = 0; i < envc; i ++)
@@ -2013,7 +2018,7 @@
filterfds[slot][0] = -1; Index: printers.cRCS file: /development/cvs/cups/scheduler/printers.c,v
+/*
#ifdef __sgi
+extern char *cupsdSanitizeURI(const char *uri, char *buffer,
|
Version: 1.1-current
CUPS.org User: jlovell
Device URIs containning username & password end up in error_log.
This was recently reported to us and will be fixed in the next Mac OS X security update, to be released sometime soon.
The attached patch fixes it. Note that this uses the httpSeparate3 patch attached to http://www.cups.org/str.php?L878.
Thanks!
The text was updated successfully, but these errors were encountered: