[MIR] ippusbxd

Till, this binds to in6addr_any and has no access controls to determine who might be able to use the printer; is this intentional?

Thanks

The printer access is bound to localhost:<port>, so one can only access locally, not through the network. As print queues are system-wide and not per-user any local user can access to "normal" USB printers (using classic USB protocol with "usb" or "hp" CUPS backend). So using IPP-over-USB does not add any extra access possibilities.

Till, could you please double-check this? The code sure looks like it binds to the ipv6 wildcard address:

        struct sockaddr_in6 addr;
        memset(&addr, 0, sizeof addr);
        addr.sin6_family = AF_INET6;
        addr.sin6_port = htons(port);
        addr.sin6_addr = in6addr_any;

        // Bind to localhost
        if (bind(this->sd,
                (struct sockaddr *)&addr,
                sizeof addr) < 0) {
                ERR("Bind on port failed. "
                    "Requested port may be taken or require root permissions.");
                goto error;
        }

Is there any easy way to run this program without having a printer available? You say it should bind to localhost, and the comment says it should bind to localhost, but the code clearly uses in6addr_any rather than in6addr_loopback.

Please double-check with netstat, or let me know how I can double-check with netstat but without a printer...

Thanks

I will look into adding a mode for printer-less debugging, for example simply letting it show a simple HTML page when calling its URL with a browser.

Hi Till - Any luck with gathering the netstat output to verify that it is only listening to ipv6 localhost?

I have added said printer=less debugging mode to ippusbxd now. Please update to cups-filters-ippusbxd_1.0.71-1ubuntu3 and run

ippusbxd -d -N -P 60000

Then you can access with a web brower, using the URL

http://localhost:60000/

This way the TCP/IP interface of ippusbxd is available for any kind of test, like netstat and so on.

I have also tried to replace in6addr_any by in6addr_loopback, but with this I cannot even access via localhost:60000. With in6addr_any I can access also from my virtual machine, through the hosts IP (like http://192.168.122.204).

Thanks for adding the -N option, it's very handy to test the networking portion.

You're right, in6addr_loopback isn't going to work -- it is then only listening on ::1:60000 and connections to 127.0.0.1:60000 don't work.

I think this is going to take a more complicated fix, one of these options is needed:

- ensure cups is looking for ippusbxd printers over IPv6
- change ippusbxd to function over IPv4 only
- change ippusbxd to bind to two sockets, one for IPv6 in6addr_loopback and one for IPv4 INADDR_LOOPBACK. This would also require using select() to determine which of the two ports is connected each iteration through the loop. This also feels like the best solution.

We really can't continue with the current code -- it is currently open for all to connect to, on all interfaces that are configured on the system. I'll ask MITRE for a CVE for this later, once we're closer to having a patch.

Thanks Till.

I have now modified ippusbxd in the upstream GIT repository to listen on both IPv4 and IPv6 sockets using the select() function to watch both. On each socket I restrict to localhost in the proper way. I have tested that with

wget 'http://localhost:60000/'
wget 'http://[::1]:60000/'
wget '<Any other IP from "ifconfig" output>:60000'

and the first two download the short HTML message into the index.html file, any other gives "Connection refused".

For you to test I have uploaded cups-filters_1.0.71-1ubuntu4 to Wily. Please test and if it is OK, I will release this version of ippusbxd upstream and updated the ippusbxd package in Universe.

Here is the upstream fix on Github:

https://github.com/tillkamppeter/ippusbxd/commit/46844402bca7a38fc224483ba6f0a93c4613203f

I did also a check with a printer (without "-N" option) now and the restriction works there, too.

Till, this looks great, confirmed that the -N variant listens on loopback for both ipv4 and ipv6. Very nice, thanks.

I am concerned to see a timeout on the select() statement; select_tut(2) strongly recommends writing code in a way that does not use the timeout:

       1. You should always try to use select() without a timeout.
           Your program should have nothing to do if there is no
           data available. Code that depends on timeouts is not
           usually portable and is difficult to debug.

Thanks

Seth, thanks for the hint. It works actually the same way without timeout and loop, making the code simpler.

I have uploaded this upstream as

https://github.com/tillkamppeter/ippusbxd/commit/a632841f8e65d402e13e81921515f5a1e2736c82

Do I need to add this to Wily's cups-filters for you to text, too? Or should I simply release upstream now, update the ippusbxd package in Universe and you promote it to Main?

Thanks Till, I've requested a CVE from MITRE: http://www.openwall.com/lists/oss-security/2015/08/11/1

Please include the CVE number in changelogs and announcements if one is available in time.

I reviewed ippusbxd version 1.21.2-1 as checked into wily; this shouldn't
be considered a full security audit but rather a quick gauge of
maintainability.

- ippusbxd implements the usb-ipp standardized printer bridge;
  udev rules start the daemon when a supported printer is plugged in,
  exposing the printer to loopback interfaces.
- Build-Depends: debhelper, libusb-1.0-0-dev, cmake, pkg-config, dh-apparmor
- Provides a daemon
- start_daemon() does not properly daemonize:
  - doesn't set umask()
  - doesn't setsid()
  - doesn't chdir(/)
  - doesn't set signals to expected dispositions
- pre,post inst,rm scripts all automatically generated
- No initscripts
- No dbus services
- No setuid executables
- One executable, /usr/sbin/ippusbxd
- No sudo fragments
- No udev rules -- they must be packaged elsewhere?
- No tests
- No cronjobs
- One warning in build log looks harmless

- No subprocesses spawned
- Memory management looked careful
- No files are written to
- Logging looked safe
- No environment variables
- No privileged operations
- No cryptography
- No privileged portions of code
- No temporary file use
- No WebKit
- No javascript
- No policykit
- Clean cppcheck

The code quality is good, with a few caveats: the software doesn't
properly daemonize at startup; and the AppArmor profile doesn't look
like it's been used lately.

Till was very responsive to the in6addr_any issue and associated
requests.

Here's the remaining issues that I found, they may or may not be important
enough to fix, though the AppArmor profile probably needs to be updated to
allow the daemon to function:

- AppArmor profile needs to be updated
- usb_conn_acquire(), typo in text that may be user-visible, "aloc"
- there appears to be no way to stop the usb_pump_events() thread
- Really should setsid(), chdir(/), and set signal dispositions for
  reliable operation (umask is less important since the daemon creates no files)

Security team ACK to promote ippusbxd to main.

Thanks

Till, please update the wily packaging and upstream releases as soon as convenient. Include the CVE if you can.

A note for the security team once the CVE comes through, ippusbxd is packaged in cups-filters in vivid, which is in main, and will also need to be updated. Double-check that it's been removed from cups-filters in wily when we get there.

Thanks

Note that all software to start and stop the daemon with the correct options, and to create CUPS queues for the IPP-over-USB printers is in the system-config-printer-udev package.

Packaging wise, things look fine. But it does need a team bug subscriber.

Subscription created for Ubuntu Printing Team.

OK, fine from my side then. Seth, was that ACK for the version in wily as-is or did you want to only promote this once the fixes you've discussed here landed?

Michael, ACK now please, the other fixes can come whenever it is convenient for Till to work on them. Thanks.

You got it! Thanks Seth and Till!

Override component to main
ippusbxd 1.21.2-1 in wily: universe/misc -> main
ippusbxd 1.21.2-1 in wily amd64: universe/comm/extra/100% -> main
ippusbxd 1.21.2-1 in wily arm64: universe/comm/extra/100% -> main
ippusbxd 1.21.2-1 in wily armhf: universe/comm/extra/100% -> main
ippusbxd 1.21.2-1 in wily i386: universe/comm/extra/100% -> main
ippusbxd 1.21.2-1 in wily powerpc: universe/comm/extra/100% -> main
ippusbxd 1.21.2-1 in wily ppc64el: universe/comm/extra/100% -> main
7 publications overridden.

MITRE has assigned the in6addr_any issue CVE-2015-6520: http://www.openwall.com/lists/oss-security/2015/08/18/11

Thanks