Accepting request 222281 from home:jsmeix:branches:Printing

CUPS security fix for CVE-2012-5519 to have better default protection against misuse of CUPS admin privileges (bnc#789566) plus clean up of cups.spec by having strictly separated sections how cupsd is launched (either via SysVinit or via systemd) OBS-URL: https://build.opensuse.org/request/show/222281 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=276
2014-02-14 08:37:00 +00:00
parent 29e44712ee
commit ad3ceda791
3 changed files with 586 additions and 62 deletions
--- a/cups.changes
+++ b/cups.changes
@@ -1,3 +1,57 @@
+-------------------------------------------------------------------
+Wed Feb 12 11:53:45 CET 2014 - jsmeix@suse.de
+
+- Added Begin/End comments in scriptlets for RPM macros 
+  so that it is easier to see in the "rpm -q --scripts cups"
+  output what each RPM macro actually does.
+
+-------------------------------------------------------------------
+Wed Feb 12 10:30:42 CET 2014 - jsmeix@suse.de
+
+- Clean up how cupsd is launched (via SysVinit or systemd)
+  by maintaining strictly separated sections in cups.spec:
+  Either for launching cupsd via systemd (if have_systemd is set)
+  or for launching cupsd via SysVinit (if have_systemd is not set).
+  SysVinit support cannot be removed because CUPS 1.5.4
+  is provided for SLE11 in the OBS devel project "Printing".
+
+-------------------------------------------------------------------
+Wed Feb  5 14:04:42 CET 2014 - jsmeix@suse.de
+
+- cups-1.5.4-CVE-2012-5519.patch adds better default protection
+  against misuse of privileges by normal users who have been
+  specifically allowed by root to do cupsd configuration changes
+  (CUPS STR#4223 CVE-2012-5519 Novell/Suse Bugzilla bnc#789566).
+  The new ConfigurationChangeRestriction cupsd.conf directive
+  specifies the level of restriction for cupsd.conf changes
+  that happen via HTTP/IPP requests to the running cupsd
+  (e.g. via CUPS web interface or via the cupsctl command).
+  By default certain cupsd.conf directives that deal with
+  filenames, paths, and users can no longer be changed via
+  requests to the running cupsd but only by manual editing
+  the cupsd.conf file and its default file permissions
+  permit only root to write the cupsd.conf file.
+  Those directives are: ConfigurationChangeRestriction,
+  AccessLog, BrowseLDAPCACertFile, CacheDir, ConfigFilePerm,
+  DataDir, DocumentRoot, ErrorLog, FatalErrors, FileDevice,
+  FontPath, Group, JobPrivateAccess, JobPrivateValues,
+  LogFilePerm, PageLog, Printcap, PrintcapFormat, PrintcapGUI,
+  RemoteRoot, RequestRoot, ServerBin, ServerCertificate,
+  ServerKey, ServerRoot, StateDir, SubscriptionPrivateAccess,
+  SubscriptionPrivateValues, SystemGroup, SystemGroupAuthKey,
+  TempDir, User, WebInterface.
+- The default group of users who are allowed to do cupsd
+  configuration changes via requests to the running cupsd
+  (i.e. the SystemGroup directive in cupsd.conf) is set
+  to 'root' only.
+- In this context a general security advice:
+  When root allows normal users to do system administration tasks
+  (in particular when root allows normal users to administer
+  system processes - i.e. processes that run as root), then
+  this or that kind of privilege escalation will be possible.
+  Only trustworthy users who do not misuse their privileges
+  may get allowed to do specific system administration tasks.
+
 -------------------------------------------------------------------
 Wed Jan 29 14:27:52 CET 2014 - jsmeix@suse.de