ID

VAR-200501-0313

CVE

CVE-2004-0923

TITLE

CUPS stores user account details in plain text in log file

DESCRIPTION

CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords. When an SMB printer is configured, CUPS stores plain text login information to the log file. CUPS (Common UNIX Printing System) Is SMB When outputting to a shared printer, device URI Included in ID Vulnerabilities exist where passwords are logged in the error log.SMB Host user providing a shared printer ID And you may get a password. CUPS is reported prone to a local password disclosure vulnerability. This issue is reported to present itself when an authenticated user carries out certain methods of remote printing. Reportedly, local attackers can disclose user passwords in the printing system log files. CUPS 1.1.21 and prior are considered vulnerable to this issue. Due to a lack of detail, further information is not available at the moment. This BID will be updated as more information becomes available. SOLUTION: The vulnerability has been fixed in the CVS repository. PROVIDED AND/OR DISCOVERED BY: Gary Smith ORIGINAL ADVISORY: http://www.cups.org/str.php?L920 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200410-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: CUPS: Leakage of sensitive information Date: October 09, 2004 Bugs: #66501 ID: 200410-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== CUPS leaks information about user names and passwords when using remote printing to SMB-shared printers which require authentication. Background ========== The Common UNIX Printing System (CUPS) is a cross-platform print spooler. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-print/cups <= 1.1.20-r2 *>= 1.1.20-r3 == 1.1.21 >= 1.1.21-r1 Description =========== When printing to a SMB-shared printer requiring authentication, CUPS leaks the user name and password to a logfile. Impact ====== A local user could gain knowledge of sensitive authentication data. Workaround ========== There is no known workaround at this time. Resolution ========== All CUPS users should upgrade to the latest version: # emerge sync # emerge -pv ">=net-print/cups-1.1.20-r3" # emerge ">=net-print/cups-1.1.20-r3" References ========== [ 1 ] CAN-2004-0923 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0923 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200410-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

Design Error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Discovery is credited to Gary Smith.

SOURCES

LAST UPDATE DATE

2024-08-14T12:34:06.243000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE