[Pkg-cups-devel] Bug#689991: CUPS: error_log flooded due to AllowUser restriction
Sergio Gelato
Sergio.Gelato at astro.su.se
Mon Oct 8 19:47:46 UTC 2012
Package: cups
Version: 1.5.3-1
Severity: important
Tags: security
I've created a print queue with an
AllowUser user1
option. When submitting a print job as user1 all goes as expected, but
if I submit it as some other user I see a flood of error messages appear
(observed rates: 375-500 Hz, depending on the client) in
/var/log/cups/error_log:
E [08/Oct/2012:20:31:23 +0200] Returning IPP client-error-not-authorized for Create-Job (ipp://xxx.yyy.zzz.ttt:631/printers/test1) from aaa.bbb.ccc.ddd
cupsd consumes significant amounts of CPU time while the client is trying
to submit the job. Both the log flood and the CPU consumption stop as soon
as I cancel the print job on the client.
Conclusion: use of AllowUser/DenyUser can lead to (often inadvertent) denial
of service attacks.
A packet capture shows a loop of:
C: POST /printers/test1 HTTP/1.1
[...]
printer-uri ipp://xxx.yyy.zzz.ttt:631/printers/test1
requesting-user-name user2
[...]
job-originating-user-name user2
[...]
S: HTTP/1.1 100 Continue
S: HTTP/1.1 200 OK
[...]
status-message Not allowed to print
all in the same TCP connection.
The clients I tested with were running cups 1.5.3-1 (wheezy)
and 1.5.3-0ubuntu4 (precise).
More information about the Pkg-cups-devel
mailing list