Ubuntu
cups package

cups is not compiled with bind-now hardening option

Bug #986452 reported by Steve Beattie
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cups (Debian)
Fix Released
Unknown
cups (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Won't Fix
Undecided
Unassigned
Ubuntu precise-updates
Quantal
Fix Released
Undecided
Unassigned

Bug Description

cups has been compiled with all the hardening options enabled since before ubuntu 10.04; however in the conversion to using the dpkg buildflags mechanism for hardening, the bind-now option was disabled.

To demonstrate, with cups 1.5.2-9ubuntu1 using the hardening-check utility from the hardening-includes package:

  $ hardening-check /usr/sbin/cupsd
  /usr/sbin/cupsd:
   Position Independent Executable: yes
   Stack protected: yes
   Fortify Source functions: yes (some protected functions found)
   Read-only relocations: yes
   Immediate binding: no not found!

it should return "Immediate binding: yes".

Please see http://wiki.debian.org/Hardening for more details about this option.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: cups 1.5.2-9ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14
Uname: Linux 3.2.0-23-generic x86_64
ApportVersion: 2.0.1-0ubuntu5
Architecture: amd64
CupsErrorLog:

Date: Fri Apr 20 16:06:32 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120418)
Lpstat: Error: command ['lpstat', '-v'] failed with exit code 1: lpstat: No destinations added.
Lsusb:
 Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
 Bus 001 Device 002: ID 80ee:0021 VirtualBox USB Tablet
MachineType: innotek GmbH VirtualBox
Papersize: letter
ProcEnviron:
 TERM=screen
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-generic root=UUID=ffa05bbe-ed05-43a9-908d-40bc146535b4 ro quiet splash vt.handoff=7
SourcePackage: cups
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 12/01/2006
dmi.bios.vendor: innotek GmbH
dmi.bios.version: VirtualBox
dmi.modalias: dmi:bvninnotekGmbH:bvrVirtualBox:bd12/01/2006:svninnotekGmbH:pnVirtualBox:pvr1.2:
dmi.product.name: VirtualBox
dmi.product.version: 1.2
dmi.sys.vendor: innotek GmbH

Revision history for this message
Steve Beattie (sbeattie) wrote :
Revision history for this message
Steve Beattie (sbeattie) wrote :

This was also reported in debian bug 662821 where it was fixed in 1.5.2-10; unfortunately only part of the changes from that version made it into the 1.5.2-9ubuntu1 version.

tags: added: regression-release
Changed in cups (Ubuntu):
milestone: none → precise-updates
Bug Watch Updater (bug-watch-updater)
Changed in cups (Debian):
status: Unknown → Fix Released
Jamie Strandboge (jdstrand)
Changed in cups (Ubuntu):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is fixed in 12.10.

Changed in cups (Ubuntu Precise):
status: New → Triaged
milestone: none → precise-updates
Changed in cups (Ubuntu Quantal):
milestone: precise-updates → none
status: Triaged → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in cups (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.