Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1052419: cups-daemon: NEWS.Debian is only tech-gibberish
323 views
Skip to first unread message
IOhannes m zmoelnig
Sep 21, 2023, 1:40:04 PM9/21/23
to
Package: cups-daemon
Version: 2.4.2-6
Followup-For: Bug #1052419
Version: 2.4.2-6
Followup-For: Bug #1052419
Just as a follow-up: after double-checking my cupsd.conf file, I see that
the <Limit CUPS-Get-Document/> section is present multiple-times in the
document, once each in the "default", "authenticated" and "kerberos" Policy
section.
I assume, that the patch needs to be applied to the "default" policy, as for the
other policies there is already an AuthType defined.
is this correct?
(the nature of a patch file does not make this obvious)
this ought to be documented as well.
And since i'm pretty sure that i've neve touched this file myself (at least
etckeeper shows that it was only ever changed while i installed cups-daemon 1½
years ago), i wonder why there was no dialog showing me the differences between
the files.
cheers
IOhannes m zmoelnig
Sep 21, 2023, 1:40:04 PM9/21/23
to
Package: cups-daemon
Version: 2.4.2-6
Severity: normal
Dear Maintainer,
While doing a routing update on my Debian/sid laptop today, i was greeted with
the following:
> cups (2.4.2-6) unstable; urgency=low
>
> In case this is not a fresh installation of cups, please double check
> whether your cupsd.conf really does contain the limitiation for
> "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch)
>
> -- Thorsten Alteholz <deb...@alteholz.de> Tue, 19 Sep 2023 21:20:27 +0200
wth?
NEWS.Debian is a user-facing interface for telling them important news.
(That's why they are shown in the first place).
As such, I think that the users ought to understand what this means.
I'm fine with the first two lines, but then it goes downhill.
Which "limitation of CUPS-Get-Document"? which patch?
I think we cannot expect our users to do a 'apt-get source cupsd' to hunt down a
patchfile and then understand the implications of what it does.
Even if they are smart enough to just head over to
<https://salsa.debian.org/printing-team/cups/-/blob/605d5df62adecb8941b9b3b25d5b0e92c0df752e/debian/patches/0015-CVE-2023-32360.patch>
to inspect the patch.
And then infer from the subject of the patch, that they might also hunt down
CVE-2023-32360 to see what this is all about.
*maybe* (but hey, i know that this is hard to write) something like this is better:
> This release addresses a security issue (CVE-2023-32360) which allows
> unauthorized users to fetch documents over local or remote networks.
> Since this is a configuration fix, it might be that it does not reach you if you
> are updating 'cups-daemon' (rather than doing a fresh installation).
> Please double check your /etc/cups/cupds.conf file, whether it limits the access
> to CUPS-Get-Document with something like the following
> > <Limit CUPS-Get-Document>
> > AuthType Default
> > Require user @OWNER @SYSTEM
> > Order deny,allow
> > </Limit>
> (The important line is the 'AuthType Default' in this section)
(sidenote: since the NEWS.Debian file is shown only on upgrade, i think it is
safe to assume that "this is not a fresh installation of cups".)
Thanks for maintaining cups, probably one of the most installed packages
(outside of essential) in Debian (that's why I think it is even more important
to get the NEWS right)
cheers
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups-daemon depends on:
ii adduser 3.137
ii bc 1.07.1-3+b1
ii init-system-helpers 1.65.2
ii libavahi-client3 0.8-11
ii libavahi-common3 0.8-11
ii libc6 2.37-10
ii libcups2 2.4.2-6
ii libdbus-1-3 1.14.10-1
ii libgssapi-krb5-2 1.20.1-4
ii libpam0g 1.5.2-7
ii libpaper1 1.1.29
ii libsystemd0 254.4-1
ii procps 2:4.0.3-1
ii ssl-cert 1.1.2
ii sysvinit-utils [lsb-base] 3.08-1
Versions of packages cups-daemon recommends:
ii avahi-daemon 0.8-11
ii colord 1.4.6-3
ii cups-browsed 1.28.17-3
ii ipp-usb 0.9.23-1+b6
Versions of packages cups-daemon suggests:
ii cups 2.4.2-6
ii cups-bsd 2.4.2-6
ii cups-client 2.4.2-6
ii cups-common 2.4.2-6
ii cups-filters 1.28.17-3
pn cups-pdf <none>
ii cups-ppdc 2.4.2-6
ii cups-server-common 2.4.2-6
ii foomatic-db-compressed-ppds [foomatic-db] 20230202-1
ii ghostscript 10.02.0~dfsg-2
ii poppler-utils 22.12.0-2+b1
pn smbclient <none>
ii udev 254.4-1
-- no debconf information
Version: 2.4.2-6
Severity: normal
Dear Maintainer,
While doing a routing update on my Debian/sid laptop today, i was greeted with
the following:
> cups (2.4.2-6) unstable; urgency=low
>
> In case this is not a fresh installation of cups, please double check
> whether your cupsd.conf really does contain the limitiation for
> "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch)
>
> -- Thorsten Alteholz <deb...@alteholz.de> Tue, 19 Sep 2023 21:20:27 +0200
wth?
NEWS.Debian is a user-facing interface for telling them important news.
(That's why they are shown in the first place).
As such, I think that the users ought to understand what this means.
I'm fine with the first two lines, but then it goes downhill.
Which "limitation of CUPS-Get-Document"? which patch?
I think we cannot expect our users to do a 'apt-get source cupsd' to hunt down a
patchfile and then understand the implications of what it does.
Even if they are smart enough to just head over to
<https://salsa.debian.org/printing-team/cups/-/blob/605d5df62adecb8941b9b3b25d5b0e92c0df752e/debian/patches/0015-CVE-2023-32360.patch>
to inspect the patch.
And then infer from the subject of the patch, that they might also hunt down
CVE-2023-32360 to see what this is all about.
*maybe* (but hey, i know that this is hard to write) something like this is better:
> This release addresses a security issue (CVE-2023-32360) which allows
> unauthorized users to fetch documents over local or remote networks.
> Since this is a configuration fix, it might be that it does not reach you if you
> are updating 'cups-daemon' (rather than doing a fresh installation).
> Please double check your /etc/cups/cupds.conf file, whether it limits the access
> to CUPS-Get-Document with something like the following
> > <Limit CUPS-Get-Document>
> > AuthType Default
> > Require user @OWNER @SYSTEM
> > Order deny,allow
> > </Limit>
> (The important line is the 'AuthType Default' in this section)
(sidenote: since the NEWS.Debian file is shown only on upgrade, i think it is
safe to assume that "this is not a fresh installation of cups".)
Thanks for maintaining cups, probably one of the most installed packages
(outside of essential) in Debian (that's why I think it is even more important
to get the NEWS right)
cheers
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups-daemon depends on:
ii adduser 3.137
ii bc 1.07.1-3+b1
ii init-system-helpers 1.65.2
ii libavahi-client3 0.8-11
ii libavahi-common3 0.8-11
ii libc6 2.37-10
ii libcups2 2.4.2-6
ii libdbus-1-3 1.14.10-1
ii libgssapi-krb5-2 1.20.1-4
ii libpam0g 1.5.2-7
ii libpaper1 1.1.29
ii libsystemd0 254.4-1
ii procps 2:4.0.3-1
ii ssl-cert 1.1.2
ii sysvinit-utils [lsb-base] 3.08-1
Versions of packages cups-daemon recommends:
ii avahi-daemon 0.8-11
ii colord 1.4.6-3
ii cups-browsed 1.28.17-3
ii ipp-usb 0.9.23-1+b6
Versions of packages cups-daemon suggests:
ii cups 2.4.2-6
ii cups-bsd 2.4.2-6
ii cups-client 2.4.2-6
ii cups-common 2.4.2-6
ii cups-filters 1.28.17-3
pn cups-pdf <none>
ii cups-ppdc 2.4.2-6
ii cups-server-common 2.4.2-6
ii foomatic-db-compressed-ppds [foomatic-db] 20230202-1
ii ghostscript 10.02.0~dfsg-2
ii poppler-utils 22.12.0-2+b1
pn smbclient <none>
ii udev 254.4-1
-- no debconf information
Andres Salomon
Oct 2, 2023, 12:30:06 AM10/2/23
to
It is confusing. Given that the vast majority of people don't touch cupsd.conf, maybe the NEWS entry should say something like the following?
"If you've never touched cupsd.conf and are unsure what to do, it's probably safest to simply run the following commands:
sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf-bak; sudo cp /usr/share/cups/cupsd.conf.default /etc/cups/cupsd.conf
In case printing stops working after making that change, you can restore the old configuration file. However, note that restoring the old config will reintroduce the security hole. Do the configuration file restoration by running:
sudo mv /etc/cups/cupsd.conf-bak /etc/cups/cupsd.conf
"
Or even better, have a cups.postinst that checks /etc/cups/cupsd.conf's md5sum == 758e3a2fb820f5cfb8aed788f2c8f353, and if so automatically copy over that cupsd.conf.default config and restart cupsd. I just checked two machines (sid and bookworm) and my untouched cupsd.conf matches that checksum on both.
0 new messages