oss-sec mailing list archives
Re: Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
From: Matthew Fernandez <matthew.fernandez () gmail com>
Date: Thu, 13 Jun 2024 09:12:02 +1000
On 6/13/24 08:49, Tavis Ormandy wrote:
On 2024-06-11, Zdenek Dohnal wrote:???????? Impact Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. https://github.com/OpenPrinting/cups/commit/a436956f3This is a pretty confusing description... if we accept the premise that an attacker can somehow get root to run cupsd with a modified configuration file (how???), then this patch doesn't seem sufficient. They can still get root to unlink() an arbitrary file, no?
Also with debug printing enabled `DEBUG_printf` does not save-and-restore `errno` and then does numerous things that can overwrite it. So presumably the `errno == ENOENT` branch is not reliable in this scenario.
Current thread:
- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Zdenek Dohnal (Jun 11)
- Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Tavis Ormandy (Jun 12)
- Re: Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Matthew Fernandez (Jun 12)
- Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Tavis Ormandy (Jun 12)