[Openicc] Introduction / Gutenprint]
Michael Sweet
mike at easysw.com
Wed Apr 13 05:49:19 EST 2005
Craig Bradney wrote:
> ...
> And the case where theres only one user on a computer using ICC and
> the others not, and that person doesnt have rights to put files in a
> system dir? Surely a profile can be loaded from anywhere. Are there
> passwords in profiles in any case?
No, but it is far easier to force files to be relative to a
controlled directory than to filter out the paths and permissions
allowed for a specific, possibly non-local user. Both the System V
lp and Berkeley lpr print spoolers have a long history of security
problems caused by direct access/references to files.
The issue isn't "are there passwords in profiles", it is "can I
provide a filename to CUPS which will cause it to emit an error
message that discloses some information that is in the file", or
"can I provide a filename that will cause a buffer overflow in
the ICC parser and execute arbitrary code"....
In short, if you want to share your personal profiles, you need
to run a command to do it (or have some nice GUI do it for you) -
we won't configure CUPS to be insecure by default.
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Document Software http://www.easysw.com
More information about the openicc
mailing list