CVE-2024-35235: 
Rocky Linux vulnerability analysis and mitigation

OpenPrinting CUPS (Common UNIX Printing System) versions 2.4.8 and earlier contain a vulnerability (CVE-2024-35235) where when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can perform an arbitrary chmod of the provided argument, providing world-writable access to the target (GitHub Advisory).

The vulnerability occurs when setting up the bind for unix sockets configured in the Listen parameters of the configuration file. The code does not check for a successful call to unlink and bind prior to performing the call to chmod. On Ubuntu 24.04, setting the Listen argument to a path like /tmp/stage/file, where file is a symlink elsewhere in the system, causes the unlink call to fail due to AppArmor, and the subsequent bind call fails due to the file still existing. The chmod call proceeds without checking the bind return value, resulting in the symbolic link being traversed and the file permissions being changed to world writable. The vulnerability has been assigned a CVSS v3.1 score of 4.4 (Moderate) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

Given that cupsd often runs as root, this vulnerability can result in changing permissions of any user or system files to be world writable. On Ubuntu systems with AppArmor, the impact is limited to files modifiable by the cupsd process. In specific cases, this can lead to full control over cupsd.conf and cups-files.conf configuration files, potentially enabling arbitrary user and group command execution (GitHub Advisory).

A patch has been released in commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d. The suggested fix includes recursively opening the configured paths using openat with O_NOFOLLOW, followed by using fchmod instead of chmod. This ensures no unexpected symbolic links exist in the path. Additionally, checking the return value of the bind call before performing the chmod helps narrow the race condition window (GitHub Advisory).

Security researchers have noted concerns about the fix implementation. Tavis Ormandy questioned whether the patch was sufficient, pointing out that an attacker could still potentially get root to unlink arbitrary files (Openwall). Matthew Fernandez highlighted additional concerns about debug printing potentially affecting the reliability of errno checking (Openwall).