COMMAND
cupsys
SYSTEMS AFFECTED
Linux
PROBLEM
Following is based on a Debian Security Advisory. Mandrake has
recently released a security advisory against CUPS raising two
issues:
1. CUPS sends broadcast packets, which can keep dial-on-demand
lines up and otherwise irritate network administrators.
2. CUPS has a rather vague problem to the effect of "everyone
on the Internet can get to your printers".
The first problem is not a problem either in Debian's potato (2.2)
or woody (unstable). Their cupsys packages are shipped with
browsing turned off by default.
The second problem has to do with CUPS's configuration. CUPS does
access control in a similar way to Apache, and is configured by
default in a similar way to Apache. This isn't terribly
appropriate in the case of allowing people to attach to printers.
Administrative tasks still aren't allowed, but Internet users
could (for example) run all the paper out of your printer. Debian
as shipped in potato and woody is vulnurable to this latter
problem.
SOLUTION
The fix is simply to configure access control to reflect your real
wishes, which is done in /etc/cups/cupsd.conf. This can be done
with the current packages (in both potato and woody) for Debian.
This has been fixed in version 1.0.4-8 (or 1.1.4-2 for unstable):
http://security.debian.org/dists/stable/updates/main/source/cupsys_1.0.4-8.diff.gz
http://security.debian.org/dists/stable/updates/main/source/cupsys_1.0.4-8.dsc
http://security.debian.org/dists/stable/updates/main/source/cupsys_1.0.4.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/cupsys-bsd_1.0.4-8_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/cupsys_1.0.4-8_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libcupsys1-dev_1.0.4-8_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libcupsys1_1.0.4-8_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/cupsys-bsd_1.0.4-8_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/cupsys_1.0.4-8_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libcupsys1-dev_1.0.4-8_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libcupsys1_1.0.4-8_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/cupsys-bsd_1.0.4-8_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/cupsys_1.0.4-8_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libcupsys1-dev_1.0.4-8_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libcupsys1_1.0.4-8_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/cupsys-bsd_1.0.4-8_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/cupsys_1.0.4-8_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libcupsys1-dev_1.0.4-8_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libcupsys1_1.0.4-8_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/cupsys-bsd_1.0.4-8_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/cupsys_1.0.4-8_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libcupsys1-dev_1.0.4-8_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libcupsys1_1.0.4-8_powerpc.deb
ftp://ftp.debian.org/debian/dists/unstable/main/source/net/cupsys_1.1.4-2.diff.gz
ftp://ftp.debian.org/debian/dists/unstable/main/source/net/cupsys_1.1.4-2.dsc
ftp://ftp.debian.org/debian/dists/unstable/main/source/net/cupsys_1.1.4.orig.tar.gz
ftp://ftp.debian.org/debian/dists/unstable/main/binary-i386/devel/libcupsys2-dev_1.1.4-2.deb
ftp://ftp.debian.org/debian/dists/unstable/main/binary-i386/libs/libcupsys2_1.1.4-2.deb
ftp://ftp.debian.org/debian/dists/unstable/main/binary-i386/net/cupsys-bsd_1.1.4-2.deb
ftp://ftp.debian.org/debian/dists/unstable/main/binary-i386/net/cupsys-client_1.1.4-2.deb
ftp://ftp.debian.org/debian/dists/unstable/main/binary-i386/net/cupsys_1.1.4-2.deb