Bug 924208 (CVE-2015-1158) - VUL-0: CVE-2015-1158 CVE-2015-1159: cups: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (plus weird ld.so interaction)
Summary: VUL-0: CVE-2015-1158 CVE-2015-1159: cups: privilege escalation via cross-site...
Status: RESOLVED FIXED
Alias: CVE-2015-1158
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All SUSE Other
: P2 - High : Critical
Target Milestone: ---
Deadline: 2015-05-29
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://www.cups.org/str.php?L4609
Whiteboard: maint:released:sle10-sp3:61822
Keywords:
Depends on:
Blocks: 969192
  Show dependency treegraph
 
Reported: 2015-03-25 09:55 UTC by Marcus Meissner
Modified: 2016-03-02 17:55 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 56 Swamp Workflow Management 2015-06-08 13:05:05 UTC
SUSE-SU-2015:1011-1: An update that contains security fixes can now be installed.

Category: security (critical)
Bug References: 924208
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    cups-1.3.9-8.46.56.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    cups-1.3.9-8.46.56.1
SUSE Linux Enterprise Server 11 SP3 (src):    cups-1.3.9-8.46.56.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    cups-1.3.9-8.46.56.1
Comment 60 Marcus Meissner 2015-06-09 08:00:33 UTC
can you mail the CVE ids to Michael Sweet so he can include them in the pages?
Comment 62 Johannes Meixner 2015-06-09 08:51:10 UTC
Regarding comment#60

I added to
https://www.cups.org/str.php?L4609
=============================================================================
FYI:

Meanwhile the SUSE security team got the following info from CERT
(excerpt):
----------------------------------------------------------------------
Furthermore, CVE IDs have been assigned as follows:

* Improper Update of Reference Count -- CVE-2015-1158
* Cross-Site Scripting -- CVE-2015-1159
----------------------------------------------------------------------

Perhaps you may like to add the CVEs to change logs and/or
to whatever other places where users may look for them.
=============================================================================
Comment 63 Johannes Meixner 2015-06-09 09:12:41 UTC
I submitted CUPS version upgrade to 2.0.3
to "Printing" via OBS submitrequest 311253 and forwarded it
to "openSUSE:Factory" via OBS request 311257.
Comment 64 Marcus Meissner 2015-06-09 09:20:15 UTC
making bug public.

https://www.cups.org/str.php?L4609

http://www.cups.org/software.php CUPS 2.0.3 announcement
Comment 65 Bernhard Wiedemann 2015-06-09 10:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (924208) was mentioned in
https://build.opensuse.org/request/show/311257 Factory / cups
Comment 66 Johannes Meixner 2015-06-09 11:40:49 UTC
Submitted fixed cups packages for openSUSE 13.2 and 13.1:

----------------------------------------------------------------------------
$ osc maintained cups
openSUSE:13.1:Update/cups
openSUSE:13.2:Update/cups

$ osc maintenancerequest -m 'VUL-0 cups privilege escalation fix
 (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158 CVE-2015-1159 bsc#924208)'
 home:jsmeix:branches:openSUSE:13.2:Update cups.openSUSE_13.2_Update
 openSUSE:13.2:Update
Using target project 'openSUSE:Maintenance'
311294

$ osc maintenancerequest -m 'VUL-0 cups privilege escalation fix
 (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158 CVE-2015-1159 bsc#924208)'
 home:jsmeix:branches:openSUSE:13.1:Update cups.openSUSE_13.1_Update
 openSUSE:13.1:Update
Using target project 'openSUSE:Maintenance'
311297
----------------------------------------------------------------------------
Comment 68 Johannes Meixner 2015-06-09 11:52:36 UTC
As far as I see there are now fixed cups packages
submitted to all maintained SUSE products
so that the issue is fixed from my point of view.
Comment 69 Johannes Meixner 2015-06-09 11:54:28 UTC
As usual I reopen the issue and re-assign it to security-team
for further processing and releasing the fixed cups packages.
Comment 70 Bernhard Wiedemann 2015-06-09 12:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (924208) was mentioned in
https://build.opensuse.org/request/show/311294 13.2 / cups
https://build.opensuse.org/request/show/311297 13.1 / cups
Comment 72 Johannes Meixner 2015-06-10 10:33:19 UTC
Also public on CERT:
https://www.kb.cert.org/vuls/id/810572
Comment 73 Johannes Meixner 2015-06-10 10:37:41 UTC
Security team,
do we provide information to CERT regarding openSUSE and SUSE?

Cf.
https://www.kb.cert.org/vuls/id/BLUU-9WBP6H
https://www.kb.cert.org/vuls/id/BLUU-9WBP77
Comment 74 Andreas Stieger 2015-06-10 14:02:45 UTC
(In reply to Johannes Meixner from comment #73)
> Security team,
> do we provide information to CERT regarding openSUSE and SUSE?
> 
> Cf.
> https://www.kb.cert.org/vuls/id/BLUU-9WBP6H
> https://www.kb.cert.org/vuls/id/BLUU-9WBP77

Yes, I notified them.
Comment 75 Swamp Workflow Management 2015-06-11 15:05:16 UTC
SUSE-SU-2015:1041-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 924208
CVE References: CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    cups-1.7.5-9.1
SUSE Linux Enterprise Server 12 (src):    cups-1.7.5-9.1
SUSE Linux Enterprise Desktop 12 (src):    cups-1.7.5-9.1
Comment 76 Swamp Workflow Management 2015-06-11 17:05:07 UTC
SUSE-SU-2015:1044-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 924208
CVE References: CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    cups154-1.5.4-9.1
Comment 77 Swamp Workflow Management 2015-06-11 18:06:31 UTC
SUSE-SU-2015:1044-2: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 924208
CVE References: CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    cups154-1.5.4-9.1
Comment 78 Andreas Stieger 2015-06-12 18:43:15 UTC
all released
Comment 79 Swamp Workflow Management 2015-06-12 19:05:16 UTC
openSUSE-SU-2015:1056-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 924208
CVE References: CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Sources used:
openSUSE 13.2 (src):    cups-1.5.4-21.9.1
openSUSE 13.1 (src):    cups-1.5.4-12.20.1
Comment 80 Marcus Meissner 2015-08-12 15:25:39 UTC
The SLE11 patch contains the reference fix for "job-originating-host-name", aka
the CVE-2015-1158 fix.

The SLE10 patch also contains the fix to avoid freeing more than one attribute of job-originatiung-host-name, e.g. also a fix for CVE-2015-1158.