Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163274 - cups location case sensitivity - CAN-2004-2154
Summary: cups location case sensitivity - CAN-2004-2154
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: cups
Version: fc2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard: LEGACY, rhl73, rhl9, 1, 2
: 163275 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-14 18:21 UTC by Jeff Sheltren
Modified: 2007-04-18 17:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-15 02:05:18 UTC


Attachments (Terms of Use)

Description Jeff Sheltren 2005-07-14 18:21:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5

Description of problem:
When processing a request, the CUPS scheduler would use case-sensitive
matching on the queue name to decide which authorization policy should be
used. However, queue names are not case-sensitive. An unauthorized user
could print to a password-protected queue without needing a password. The
Common Vulnerabilities and Exposures project has assigned the name
CAN-2005-2154 to this issue. 

See:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162405
and
http://rhn.redhat.com/errata/RHSA-2005-571.html

I am working on updated packages for RH7.3, RH9, FC1 & FC2

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1...
2.
3.
  

Additional info:

Comment 1 Jeff Sheltren 2005-07-14 18:24:19 UTC
*** Bug 163275 has been marked as a duplicate of this bug. ***

Comment 2 Jeff Sheltren 2005-07-14 18:52:50 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created packages using the cups-str700.patch from RHEL3 package.

RH7.3:
http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.14-15.4.5.legacy.src.rpm
84dac0a7a7fd22931b6af54200c3edd174b36aec  cups-1.1.14-15.4.5.legacy.src.rpm

RH9:
http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.17-13.3.0.14.legacy.src.rpm
bd1e28c25c408603eeb30de759697a514e3ad7a4  cups-1.1.17-13.3.0.14.legacy.src.rpm

FC1:
http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.19-13.9.legacy.src.rpm
0b755ea65898d20d74e53d320d244fde7d92cd69  cups-1.1.19-13.9.legacy.src.rpm

FC2:
http://www.cs.ucsb.edu/~jeff/legacy/cups-1.1.20-11.11.1.legacy.src.rpm
2153b4e79a658c34214a378cf71c8615ef1813df  cups-1.1.20-11.11.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC1rPXKe7MLJjUbNMRAtD8AKCpJkKidXS0GViSAu2wGSwmmpgwBQCgibJi
HWdlnWeg0oiNfQf0fHNPoLQ=
=YGqY
-----END PGP SIGNATURE-----

Comment 3 Pekka Savola 2005-07-15 12:56:58 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity OK
 - spec file changes minimal
 - patch verified to come from RHEL3

Minor nit: the changelog entries could provide a pointer to this bug number.
This can be fixed at buildtime if needed.

+PUBLISH RHL73, RHL9, FC1, FC2

84dac0a7a7fd22931b6af54200c3edd174b36aec  cups-1.1.14-15.4.5.legacy.src.rpm
bd1e28c25c408603eeb30de759697a514e3ad7a4  cups-1.1.17-13.3.0.14.legacy.src.rpm
0b755ea65898d20d74e53d320d244fde7d92cd69  cups-1.1.19-13.9.legacy.src.rpm
2153b4e79a658c34214a378cf71c8615ef1813df  cups-1.1.20-11.11.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC17KFGHbTkzxSL7QRAsWAAKCbM1LBppBp0bz2gC2uUCp63GDKQwCgvQm6
eDxE1k4yA0EpKVmxJA5Cokw=
=Dni8
-----END PGP SIGNATURE-----


Comment 4 Jeff Sheltren 2005-07-15 13:17:14 UTC
Hi Pekka, thanks for the publish vote.  What do you mean about a pointer to this
bug?  I thought that's what I was doing:

%changelog
* Thu Jul 14 2005 Jeff Sheltren <sheltren@cs.ucsb.edu> 1:1.1.20-11.11.1.legacy
- Fix for CAN-2004-2154 (#163274)   <------ that's the bug #

Comment 5 Pekka Savola 2005-07-15 13:24:46 UTC
Sorry, yes, you're right, and that's OK.  I overlooked it because it was in such
a terse format (which is fine, of course).  I should have looked closer.

Comment 6 Marc Deslauriers 2005-07-16 18:57:45 UTC
Packages were pushed to updates-testing.

Comment 7 Pekka Savola 2005-07-30 06:20:32 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL73:
 - signature OK
 - rpm-build-compare.sh filelists OK, only changes to cupsd
 - upgrades OK
 - printing still works

+VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC6xveGHbTkzxSL7QRAvlXAKCAaLZSP+OdTzyHeud3DBgw+kbCNQCfV/Rw
WQ4mRbV6cYEubgkbb4i0SrU=
=rp1m
-----END PGP SIGNATURE-----


Comment 8 Jeff Sheltren 2005-08-28 18:49:08 UTC
Timeout was reached on these

Comment 9 David Eisenstein 2005-08-28 20:12:42 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA on Fedora Core 1 cups packages, for bug # 163274:

97265e88f58dde6d0a9956ef9de0fce61c256077
     cups-1.1.19-13.9.legacy.i386.rpm

cb73c7d7e91cff10fab3c11a63dbcb002f1242d9
     cups-devel-1.1.19-13.9.legacy.i386.rpm

d3ae92680bbadfa11ce5f0c92c8243950e92d441
     cups-libs-1.1.19-13.9.legacy.i386.rpm

  *  SHA1SUMs verify from PGP-signed Test Update Notification
  *  rpm --checksig OK on all packages
  *  packages installed (upgraded) fine.  No config files were altered.

  *  running CUPS through its paces via web-browser to http://localhost:631/
     seems to work well.

  *  $ lpr file.txt               \
     $ lpr -P Samsung file.txt     \     All prompt properly for a password
     $ lpr -P sAmSuNg file.txt     /     for an unprivileged account.  Will
     $ lpr -P SaMsUnG file.txt    /      not print without it.

  *  User manpages and documents are accessible,
  *  Does not allow user to manipulate jobs s/he doesn't own.
  *  Seems to print okay, printed Fedora Legacy Test Update Notification 
     2005-163274 just fine.  :-)

  VERIFY++

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDEhorxou1V/j9XZwRAoqWAKDjcpsVHNC2+EnL4wSIYdSADBfMWwCeNXkv
DVvgRWe7AuS+2qnLney0jZo=
=N7B5
-----END PGP SIGNATURE-----


Comment 10 Marc Deslauriers 2005-09-15 02:05:18 UTC
Packages were released.


Note You need to log in before you can comment on or make changes to this bug.