Security Information / 2000 / Security Information -- cupsys

Debian Security Advisory

cupsys -- remote misuse of printer

Date Reported:

19 Nov 2000

Affected Packages:

cupsys
cupsys-bsd
libcupsys1
libcupsys1-dev

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

Mandrake has recently released a security advisory against CUPS raising two issues:

1. CUPS sends broadcast packets, which can keep dial-on-demand lines up and otherwise irritate network administrators.
2. CUPS has a rather vague problem to the effect of "everyone on the Internet can get to your printers".

The first problem is not a problem either in Debian's potato (2.2) or woody (unstable). Our cupsys packages are shipped with browsing turned off by default.

The second problem has to do with CUPS's configuration. CUPS does access control in a similar way to Apache, and is configured by default in a similar way to Apache. This isn't terribly appropriate in the case of allowing people to attach to printers. Administrative tasks still aren't allowed, but Internet users could (for example) run all the paper out of your printer. Debian as shipped in potato and woody is vulnerable to this latter problem.

The fix is simply to configure access control to reflect your real wishes, which is done in /etc/cups/cupsd.conf. This can be done with the current packages (in both potato and woody).

This has been fixed in version 1.0.4-8 (or 1.1.4-2 for unstable) and we recommend that you upgrade your cupsys packages immediately.

Fixed in:

Debian 2.2 (potato)

Source:

http://security.debian.org/dists/stable/updates/main/source/cupsys_1.0.4-8.diff.gz

http://security.debian.org/dists/stable/updates/main/source/cupsys_1.0.4-8.dsc

http://security.debian.org/dists/stable/updates/main/source/cupsys_1.0.4.orig.tar.gz

alpha:

http://security.debian.org/dists/stable/updates/main/binary-alpha/cupsys-bsd_1.0.4-8_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/cupsys_1.0.4-8_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/libcupsys1-dev_1.0.4-8_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/libcupsys1_1.0.4-8_alpha.deb

i386:

http://security.debian.org/dists/stable/updates/main/binary-i386/cupsys-bsd_1.0.4-8_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/cupsys_1.0.4-8_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/libcupsys1-dev_1.0.4-8_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/libcupsys1_1.0.4-8_i386.deb

m68k:

http://security.debian.org/dists/stable/updates/main/binary-m68k/cupsys-bsd_1.0.4-8_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/cupsys_1.0.4-8_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/libcupsys1-dev_1.0.4-8_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/libcupsys1_1.0.4-8_m68k.deb

powerpc:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/cupsys-bsd_1.0.4-8_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/cupsys_1.0.4-8_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/libcupsys1-dev_1.0.4-8_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/libcupsys1_1.0.4-8_powerpc.deb

sparc:

http://security.debian.org/dists/stable/updates/main/binary-sparc/cupsys-bsd_1.0.4-8_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/cupsys_1.0.4-8_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/libcupsys1-dev_1.0.4-8_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/libcupsys1_1.0.4-8_sparc.deb