Description
CUPS 1.4.4, when running in certain Linux distributions such as Debian
GNU/Linux, stores the web interface administrator key in
/var/run/cups/certs/0 using certain permissions, which allows local users
in the lpadmin group to read or write arbitrary files as root by leveraging
the web interface.
Notes
mdeslaur> On Ubuntu, file disclosure and corruption is limited by the
mdeslaur> AppArmor profile, which limits exposure. It still can access
mdeslaur> some important files though, such as /etc/shadow.
mdeslaur>
mdeslaur> Upstream patch moves dangerous configuration options to a
mdeslaur> second config file which is not web-editable. Although this is
mdeslaur> a good long-term solution, the changes are too intrusive for a
mdeslaur> security update. The most sensible thing to do at this time is
mdeslaur> to completely disable modifying the cupsd.conf file via the web
mdeslaur> interface.