Bug 924208 (CVE-2015-1158) - VUL-0: CVE-2015-1158 CVE-2015-1159: cups: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (plus weird ld.so interaction)
Summary: VUL-0: CVE-2015-1158 CVE-2015-1159: cups: privilege escalation via cross-site...
Status: RESOLVED FIXED
Alias: CVE-2015-1158
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All SUSE Other
: P2 - High : Critical
Target Milestone: ---
Deadline: 2015-05-29
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://www.cups.org/str.php?L4609
Whiteboard: maint:released:sle10-sp3:61822
Keywords:
Depends on:
Blocks: 969192
  Show dependency treegraph
 
Reported: 2015-03-25 09:55 UTC by Marcus Meissner
Modified: 2016-03-02 17:55 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 56 Swamp Workflow Management 2015-06-08 13:05:05 UTC 
SUSE-SU-2015:1011-1: An update that contains security fixes can now be installed.

Category: security (critical)
Bug References: 924208
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    cups-1.3.9-8.46.56.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    cups-1.3.9-8.46.56.1
SUSE Linux Enterprise Server 11 SP3 (src):    cups-1.3.9-8.46.56.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    cups-1.3.9-8.46.56.1
Comment 60 Marcus Meissner 2015-06-09 08:00:33 UTC 
can you mail the CVE ids to Michael Sweet so he can include them in the pages?
Comment 62 Johannes Meixner 2015-06-09 08:51:10 UTC 
Regarding comment#60

I added to
https://www.cups.org/str.php?L4609
=============================================================================
FYI:

Meanwhile the SUSE security team got the following info from CERT
(excerpt):
----------------------------------------------------------------------
Furthermore, CVE IDs have been assigned as follows:

* Improper Update of Reference Count -- CVE-2015-1158
* Cross-Site Scripting -- CVE-2015-1159
----------------------------------------------------------------------

Perhaps you may like to add the CVEs to change logs and/or
to whatever other places where users may look for them.
=============================================================================
Comment 63 Johannes Meixner 2015-06-09 09:12:41 UTC 
I submitted CUPS version upgrade to 2.0.3
to "Printing" via OBS submitrequest 311253 and forwarded it
to "openSUSE:Factory" via OBS request 311257.
Comment 64 Marcus Meissner 2015-06-09 09:20:15 UTC 
making bug public.

https://www.cups.org/str.php?L4609

http://www.cups.org/software.php CUPS 2.0.3 announcement
Comment 65 Bernhard Wiedemann 2015-06-09 10:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (924208) was mentioned in
https://build.opensuse.org/request/show/311257 Factory / cups
Comment 66 Johannes Meixner 2015-06-09 11:40:49 UTC 
Submitted fixed cups packages for openSUSE 13.2 and 13.1:

----------------------------------------------------------------------------
$ osc maintained cups
openSUSE:13.1:Update/cups
openSUSE:13.2:Update/cups

$ osc maintenancerequest -m 'VUL-0 cups privilege escalation fix
 (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158 CVE-2015-1159 bsc#924208)'
 home:jsmeix:branches:openSUSE:13.2:Update cups.openSUSE_13.2_Update
 openSUSE:13.2:Update
Using target project 'openSUSE:Maintenance'
311294

$ osc maintenancerequest -m 'VUL-0 cups privilege escalation fix
 (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158 CVE-2015-1159 bsc#924208)'
 home:jsmeix:branches:openSUSE:13.1:Update cups.openSUSE_13.1_Update
 openSUSE:13.1:Update
Using target project 'openSUSE:Maintenance'
311297
----------------------------------------------------------------------------
Comment 68 Johannes Meixner 2015-06-09 11:52:36 UTC 
As far as I see there are now fixed cups packages
submitted to all maintained SUSE products
so that the issue is fixed from my point of view.
Comment 69 Johannes Meixner 2015-06-09 11:54:28 UTC 
As usual I reopen the issue and re-assign it to security-team
for further processing and releasing the fixed cups packages.
Comment 70 Bernhard Wiedemann 2015-06-09 12:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (924208) was mentioned in
https://build.opensuse.org/request/show/311294 13.2 / cups
https://build.opensuse.org/request/show/311297 13.1 / cups
Comment 72 Johannes Meixner 2015-06-10 10:33:19 UTC 
Also public on CERT:
https://www.kb.cert.org/vuls/id/810572
Comment 73 Johannes Meixner 2015-06-10 10:37:41 UTC 
Security team,
do we provide information to CERT regarding openSUSE and SUSE?

Cf.
https://www.kb.cert.org/vuls/id/BLUU-9WBP6H
https://www.kb.cert.org/vuls/id/BLUU-9WBP77
Comment 74 Andreas Stieger 2015-06-10 14:02:45 UTC 
(In reply to Johannes Meixner from comment #73)
> Security team,
> do we provide information to CERT regarding openSUSE and SUSE?
> 
> Cf.
> https://www.kb.cert.org/vuls/id/BLUU-9WBP6H
> https://www.kb.cert.org/vuls/id/BLUU-9WBP77

Yes, I notified them.
Comment 75 Swamp Workflow Management 2015-06-11 15:05:16 UTC 
SUSE-SU-2015:1041-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 924208
CVE References: CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    cups-1.7.5-9.1
SUSE Linux Enterprise Server 12 (src):    cups-1.7.5-9.1
SUSE Linux Enterprise Desktop 12 (src):    cups-1.7.5-9.1
Comment 76 Swamp Workflow Management 2015-06-11 17:05:07 UTC 
SUSE-SU-2015:1044-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 924208
CVE References: CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    cups154-1.5.4-9.1
Comment 77 Swamp Workflow Management 2015-06-11 18:06:31 UTC 
SUSE-SU-2015:1044-2: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 924208
CVE References: CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    cups154-1.5.4-9.1
Comment 78 Andreas Stieger 2015-06-12 18:43:15 UTC 
all released
Comment 79 Swamp Workflow Management 2015-06-12 19:05:16 UTC 
openSUSE-SU-2015:1056-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 924208
CVE References: CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Sources used:
openSUSE 13.2 (src):    cups-1.5.4-21.9.1
openSUSE 13.1 (src):    cups-1.5.4-12.20.1
Comment 80 Marcus Meissner 2015-08-12 15:25:39 UTC 
The SLE11 patch contains the reference fix for "job-originating-host-name", aka
the CVE-2015-1158 fix.

The SLE10 patch also contains the fix to avoid freeing more than one attribute of job-originatiung-host-name, e.g. also a fix for CVE-2015-1158.