#1053857 cups: CVE-2023-32360 instructions in NEWS have a typo and are unclear

Package:
cups
Source:
cups
Description:
Common UNIX Printing System(tm) - PPD/driver support, web interface
Submitter:
Jonathan Kamens
Date:
2023-10-12 18:27:04 UTC
Severity:
normal
#1053857#5
Date:
2023-10-12 18:22:27 UTC
From:
To:
Dear Maintainer,

The NEWS entry for CVE-2023-32360 says /etc/cups/cupds.conf when ite
should say /etc/cups/cupsd.conf.

In addition, after reading the NEWS entry and reviewing the contents
of my cupsd.conf file, I'm left completely clueless about whether I
actually need to change anything, or if doing so will break cups.

Two reasons for this:

* I don't have any "<Limit CUPS-Get-Document>" stanzas in my
cupsd.conf. all of the stanzas that reference CUPS-Get-Document
reference many other commands at the same time. For example:

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>

I don't know whether changing one of these stanzas will break
something because it will affect things other than CUPS-Get-Document.

* There are three different <Limit ...> blocks in my cupsd.conf that
reference CUPS-Get-Document, under <Policy Default>, <Policy
Authenticated>, and <Policy kerberos>. The first has no "AuthType
Default" line, the second says "AuthType Default", and the third says
"AuthType Negotiate". I don't know whether I need to add "AuthType
Default" to the first one or if the fact that the second one already
has "AuthType Default" means I'm protected.

This isn't great.

  jik