[cups-devel] [HIGH] STR #4455: Incomplete fix for CVE-2014-3537 (CVE-2014-5029/5030/5031)

Johannes Meixner noreply at cups.org
Thu Jul 31 04:43:27 PDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR Resolved]

For me it still works to view the error log
via the web interface.

I think this is because (at least for my cups-1.7.4)
by default the files are
 -rw-r--r-- 1 root lp ... access_log
 -rw-r--r-- 1 root lp ... error_log
 -rw-r--r-- 1 root lp ... page_log

I vaguely remember there was a longer time ago some thread
about whether or not world readable error_log is o.k.
from a secutity point of view and - as far as I remember -
Michael Sweet's response was that with default cupsd LogLevel
no security relevant information is logged in error_log.

Link: https://www.cups.org/str.php?L4455
Version: 1.7.4
Fix Version: 2.0-current (r12055)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJT2ivfAAoJENujp6sI12IjRpcP/iAriMIRcgl1GhrXE/E+Iqdl
nIGf+ZrRUKWhhGnNngQKXMGImbQojkL2EhgpvsQq/X/M5601t2YZMaE3TNIuAwrp
lAISP1fEx+bSlrSlQQlWESmf5MZfleI0MldpmtieVwMIP1EP/dP+ALV23DStwfK5
MQW1MJf1ADUHy3wB2+4skNoKOSpv2I1IQuU7/MbkIhj63h1yJcZ24J7Y9GmkQglF
7SrFB/duhCeim1R+Hv3qSB3wmaz1ALSq0SpC+vhy7dKL2Nk5AJColcVV4Pn6jpK1
kM+7Jsk7kVdCzpUrZbc00Fd9gBL4qUetI6yaWmKx479aAw8YfK9rlok4K37NF6t6
hWBmxc0EPtRJOiRhVxxLAHw5Kp9Fkdh6slPwla7ibGjKzMxlqzMFvXl8zVhDPvkx
EzGcsg/WdXd5VTCoctv1i3iOfo4lYA17cHvO4LmPUCPMI6PP8KL12nCK7A9a/G31
k0BobUEDyxZVx//53mo0VUcmKIrqxMWdQgi9BE5d0TKM73mTH40uHP3/NDt49BC1
Vma4/MXmi8UZDA5BQwYo99Fl8oYkjzaSAabHW/RQZFdOxAJXZrz8lnEMmJB1zy4u
Ew7TkkeHOPKpnTlGS/OgthDp9ek4SyN6teOm9Lh7FKGull/SrHwGJ7Gyq71ne7MW
63qEUAxeU2dAyodIkkmZ
=cfOz
-----END PGP SIGNATURE-----




More information about the cups mailing list