Accepting request 889938 from home:jsmeix:branches:Printing

Fixed CVE-2021-25317 (bsc#1184161) OBS-URL: https://build.opensuse.org/request/show/889938 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=375
2021-05-03 08:34:56 +00:00
parent 5df04109a3
commit a7fdee7896
2 changed files with 47 additions and 3 deletions
--- a/cups.changes
+++ b/cups.changes
@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Mon May  3 09:57:33 CEST 2021 - jsmeix@suse.de
+
+- When cupsd creates directories with specific owner group
+  and permissions (usually owner is 'root' and group matches
+  "configure --with-cups-group=lp") specify same owner group and
+  permissions in the RPM spec file to ensure those directories
+  are installed by RPM with the right settings because if those
+  directories were installed by RPM with different settings then
+  cupsd would use them as is and not adjust its specific owner
+  group and permissions which could lead to privilege escalation
+  from 'lp' user to 'root' via symlink attacks e.g. if owner is
+  falsely 'lp' instead of 'root' CVE-2021-25317 (bsc#1184161)
+
 -------------------------------------------------------------------
 Tue Apr 20 10:57:45 CEST 2021 - jsmeix@suse.de