On 6/13/24 08:49, Tavis Ormandy wrote:
On 2024-06-11, Zdenek Dohnal wrote:
???????? Impact
Given that cupsd is often running as root, this can result in the change
of permission of any user or system files to be world writable.
https://github.com/OpenPrinting/cups/commit/a436956f3
This is a pretty confusing description... if we accept the premise that an
attacker can somehow get root to run cupsd with a modified configuration
file (how???), then this patch doesn't seem sufficient. They can still
get root to unlink() an arbitrary file, no?
Also with debug printing enabled `DEBUG_printf` does not
save-and-restore `errno` and then does numerous things that can
overwrite it. So presumably the `errno == ENOENT` branch is not reliable
in this scenario.
