Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <v4d8ln$2ut$1@ciao.gmane.io>
Date: Wed, 12 Jun 2024 22:49:28 -0000 (UTC)
From: Tavis Ormandy <taviso@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777

On 2024-06-11, Zdenek Dohnal wrote:
>  ???????? Impact
>
> Given that cupsd is often running as root, this can result in the change 
> of permission of any user or system files to be world writable.
>
>
> https://github.com/OpenPrinting/cups/commit/a436956f3
>

This is a pretty confusing description... if we accept the premise that an
attacker can somehow get root to run cupsd with a modified configuration
file (how???), then this patch doesn't seem sufficient. They can still
get root to unlink() an arbitrary file, no?

I guess someone from CUPS has seen a working Ubuntu exploit that did
this, but this really feels like fixing the bug in the wrong place?

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@....org
_\_V _( ) _( )  @taviso

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.