Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777

[Tavis Ormandy <taviso () gmail com>]

On 2024-06-11, Zdenek Dohnal wrote:
>  ???????? Impact
>
> Given that cupsd is often running as root, this can result in the change 
> of permission of any user or system files to be world writable.
>
>
> https://github.com/OpenPrinting/cups/commit/a436956f3

This is a pretty confusing description... if we accept the premise that an
attacker can somehow get root to run cupsd with a modified configuration
file (how???), then this patch doesn't seem sufficient. They can still
get root to unlink() an arbitrary file, no?

I guess someone from CUPS has seen a working Ubuntu exploit that did
this, but this really feels like fixing the bug in the wrong place?

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso () sdf org
_\_V _( ) _( )  @taviso