CUPS Security Vulnerabilities 155
Buck Naked writes "A slew of vulnerabilities was discovered in CUPS, from the advisory: 'Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges...' The full advisory can be found at iDEFENSE."
Same shit, different daemon... (Score:5, Insightful)
Or don't use CUPS (Score:2)
Re:Or don't use CUPS (Score:1)
Now saying that there are some package that are more inherantly more secure than others (i.e qmail vs sendmail) but I don't think this is a case of that more your personal views clouding the issue.
-Ian
Re:Same shit, different daemon... (Score:2)
Re:Same shit, different daemon... (Score:2, Informative)
If you get an email with a specially constructed image link in it, or visit a website with that url, you can be remotely exploited... it ignores the firewall because it is you doing the connecting to it. (Can even put every possible address you might have a printer on your LAN into a page, with every possible offset... or at least the most likely ones... too many malformed connections, and your daemon dies... remote denial of service maybe?)
Filtering connections to port 631 in mozilla/netscape would protect you from this, but it would also stop you being able to use the administration via http features of CUPS, which gives you the proverbial choice between dancing elephants and security, it seems.
Overview:
You MUST patch it to be protected. Firewalling also won't protect you from malicious local users getting root, and it won't stop you being hacked by yourself.
Re:Same shit, different daemon... (Score:2)
Our LAN's CUPS configuration allows port 631 connections only from administrative workstations. IMHO, that's just common-sense security. This could be enforced with a combination firewall and switch/router ACLs that segregate IP sources. If administrators need to perform administrative tasks while 'on the run', they can always VPN to an administrative area.
As for a smaller LAN, just a simple ACL and firewall configuration should suffice. The biggest assumption, of course, is that those using the administrative workstations are clueful* enough to be wary about opening images in e-mail and what-not.
Oh, without question. Sadly, the CUPS website is severely lacking in documentation and security advisories. I tried to check the "More Info" for the December 19th release, but was returned to the homepage. So I've downloaded it and will check the ChangeLog instead.
* (I can't believe I just used that term!)
Re:Same shit, different daemon... (Score:2)
Re:Same shit, different daemon... (Score:1)
Its a good thing (Score:2, Funny)
Until RedHat 8 came out that is!
Thanks CowboyNeal and poster (Score:5, Insightful)
Not really news - CUPS vulnerabilities endemic (Score:5, Funny)
Patches out, you can relax (Score:5, Informative)
Whew, I feel much safer now. It's always nice that someone feels ownership for the code, thus that someone takes quick action and fixes the problems. Thank you Michael Sweet for a great print system and quick action.
Re:Patches out, you can relax (Score:1)
But what is not so great is that there is no simple way of verifying that the patched code available for download in fact is the patched code.
We really need some kind of digital signature system so that we can ensure that we are not downloading fixes from a hijacked ftp server.
The best thing to do would of course to validate the code yourself. But many people doesn't have that kind of skills, so they would probably go for just trusting the auther, but without a digital signature how dow we know that the code we download is the real thing.
Re:Patches out, you can relax (Score:2)
Vendor notes... (Score:5, Informative)
Michael Sweet [mike@easysw.com] of Easy Software Products said CUPS 1.1.18 will be released December 19, 2002 which addresses all of these issues (http://www.cups.org [cups.org]).
Mark J Cox (mjc@redhat.com) of Red Hat said the following:
"Red Hat Linux 7.3 and 8.0 ship with CUPS, however it is not enabled by default. We are currently working on producing erratum packages. When complete, these will be available along with our advisory. At the same time, users of the Red Hat Network will be able to update their systems
using the 'up2date' tool."
Richard Blanchard (rblanchard@apple.com) of Apple said the following:
"Affected Systems:
Mac OS X 10.2 - Mac OS X 10.2.2
Mac OS X Server 10.2 - Mac OS X Server 10.2.2
Mitigating Factors:
The described vulnerability can be remotely exploited only when Printer Sharing is enabled. Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.
Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"
Impressive List & Response (Score:4, Interesting)
Re:Impressive List & Response (Score:1, Interesting)
Re:Impressive List & Response (Score:4, Insightful)
I would estimate that no more that 4 to 6 people had complete access to all of the problems before they were made public.
To the best of my knowlege none of these problems were ever exploited in the wild. (And if they were, as long as people patch their systems, they won't be.)
I found these problems by auditing the source, and not because of any rumors of active exploitation.
Open source software is sometimes considered to be more secure than closed source because you can see the source code.... the same reason other people say that it is less secure.
For being able to see the source code to make any difference at all, someone actually has to look at it, which doesn't appear to happen as often as either side claim does.
All it takes for a piece of software to be insecure is one exploitable problem, whether it is open or closed source.
What helps keep people secure is publicity that there is something wrong.
It's no use there being patches made available if nobody knows there was a problem... this article has probably done more for getting peoples boxes patched than all the security lists combined.
Anonymous Coward complained that it was a month between the holes being discovered and the patch being released... check out the problem's I found with the posterboy of open source in business, Netscape/Mozilla... 4 months to get some of them fixed... and when they released a buggy version and patched it 2 days later (or something like that) people actually CONGRATULATED THEM!!! Publicity over the bugs in Mozilla/Netscape was minimal to say the least...
Look at Code Red. Publicity caused that to be much less of a problem than it could've been.
The more exploits the 'bad guys' have, the more likely those exploits will be patched.
Having an exploit for a vulnerability that is patched on 99% of boxes is pretty much useless... distributing an exploit with your advisory isn't 'a neccessary evil', it's a bloody good idea.
A complete working script kiddie friendly exploit for every hole that is found should be given away, free of charge. Let the holes that people don't patch get exploited. If you know that within a day of a security advisory being released there will be an easy to use way for anyone in the world to use it against you, are you going to let your guard down?
-- zen-parse
hmm.... (Score:1)
If so... with the recent move by GNU-Darwin away from mac-proprietary development, what's the relationship of bugs like this being found in software that is part of OS X and the Apple developers working to fix said bugs?
i use CUPS. i think it's neat.
Re:hmm.... (Score:2, Funny)
I use CUPS too but it's not always neat; I haven't been able to fix the spilling bug that always occurs if I am using CUPS to transfer red wine or coffee while wearing white.
OK, OK, I'll stop....
Re:hmm.... yep. (Score:1)
Re:hmm.... yep. (Score:1)
I'd heard 10.2.3 was out, but I had a bunch of windows up that I wasn't willing to bring down until this morning, so I'm just getting the update now.
CUPS is still the best solution (Score:5, Insightful)
Re:CUPS is still the best solution (Score:1, Interesting)
iDEFENSE sat on it for a month, not the developer.
Re:CUPS is still the best solution (Score:1, Insightful)
I imagine it would be a very different story if unix boxen across the net were getting hacked and it turned out iDEFENSE had known about the hole for weeks and not told anyone about it.
Re:CUPS is still the best solution (Score:2)
It might be worth noting that this is a major point of iDefense; payment for exploits [idefense.com]. Its also been a source of criticism - be it valid or not.
I have to wonder if the delay was over verification of the exploit and the decission process involved in awarding payment for discovery. If payment wasn't a part of the process, would the system be faster to report? But then - would it have been reported in the first place?
Re:CUPS is still the best solution (Score:2)
Re:CUPS is still the best solution (Score:5, Informative)
In addition to the firewalling, cups can also be portwalled too (see http://www.spotswood-computer.net/portwalling.html [spotswood-computer.net] for details on this concept). Make sure it's not listening on an internet interface (which it would by default). Assuming your internal interface is 192.168.1.1, comment out the lines
and replace them with and restart the service. Warning: The cups init.d script in Mandrake (at least) will make changes to your configuration file, resulting in cups failing to start if you make the changes listed here. Edit the script and stop it from making the changes before you restart.Re:CUPS is still the best solution (Score:2)
That's not necessarily enough. See this email [der-keiler.de] about "weak end host". The short version is attackers can access the IP of one interface through another on Linux unless you go out of your way to prohibit it.
Re:CUPS is still the best solution (Score:2)
This relies, of course, on having IP routing enabled on the Linux box (disabled per default) without having the wherewithall to run NetFilter (or another suitable firewall).
Re:CUPS is still the best solution (Score:2)
First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.
Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP. (Or that denies the service specifically, but then there's no real point to binding to the inside interface only.) Binding only to "safe" interfaces is sometimes pointed to as an alternative to firewalling services, so it's important to point out where that can fail. With the one rule, it works well.
Re:CUPS is still the best solution (Score:2)
Not neccesarily. Sometimes computers are just on multiple networks.
That's part of any proper BOGON filter set, or any decent firewall. Much like I deny all connections claiming to be from/to 127.0.0.1, I deny incoming connections from/to the RFC1918 address space, from my local address space, and from/to any of the unassigned ARIN address space. Claiming that "most" NetFilter configurations don't have such safeguards is, IMHO, a little rash.
If I ever saw someone suggesting it as an alternative to firewalling, I'd call them on it. It's an additional security precaution; not a replacement. I thought it went without saying, but then again this is the world where MCSEs (and other similar paper-hatters) are administering corporate WANs (and by extension, speaking of BOGONs, why the 69.0.0.0/8 address space is presently largely unroutable.)
Re:CUPS is still the best solution (Score:2)
I wrote: First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.
Blkdeath wrote: Not neccesarily. Sometimes computers are just on multiple networks.
Thus the "nearly". But I can't even think why you'd need to do that in a well-designed network.
I wrote: Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP.
Blkdeath wrote: That's part of any proper BOGON filter set, or any decent firewall.
I agree, but I'd still guess that most people don't. I often don't see it in tutorials for NetFilters and similar tools, and I imagine it's pretty common to end up with a firewall very similar to those.
If I ever saw someone suggesting it as an alternative to firewalling, I'd call them on it.
Did you read that portwalling draft that berzerke linked to? I quote:
It does not mention the need to prevent them from accessing one interface's IP from another interface.
Re:CUPS is still the best solution (Score:2)
It does, however, continue to state the need for a firewall in an effective protection setup;
The preceeding paragraph (that you've paraphrased) was worded very poorly, that I'll give you, but this is a) a "Draft", and b) Merely one of the hundreds of thousands of sites offering advice on the Internet. Even still, if a person follows this through to the letter, they'll be atleast partially protected. Of course they'll have to look elsewhere to find documentation for configuring their particular firewall package, as that was wisely left out of that 'draft'.
If Joe Ignorant Homeuser's whiz-bang three computer home LAN is infiltrated because he didn't even implement the most basic safeguards and software patches, well, that's his own fault and I feel no pity for him.
My home LAN uses port and firewalling for all internal services, and that's almost the way it should be. Ideally the only machine with more than one interface on a multi-homed network should be the firewall which, as I'm sure you're well aware, shouldn't be running any daemons.
Re:CUPS is still the best solution (Score:1)
Blkdeath wrote: It does, however, continue to state the need for a firewall in an effective protection setup;
Sure, but you're not getting my point. It mentions that as "defense in depth"; redundant security. The draft implies throughout that these are totally independent methods. They aren't. It's not just a single poorly-worded paragraph; it's wrong.
Re:CUPS is still the best solution (Score:2)
You are absolutely correct and it will be corrected. However, it's not a total disaster. As I mention in another reply, if you are binding to a private address range (as the example does), then the attacker must be one hop away for the "attack" to work. This is assuming they know what your private address is. Thus, it's still good advice.
Re:CUPS is still the best solution (Score:2)
I tested it and it still works even with routing disabled. Scary at first glance, but there is ray of hope. Exploiting the "weak end host" depends on several things being perfect.
First, an attacker has to know the ip address of the "other side" (where the services you want to protect are listening). Second, assuming you are using the private address range for your "other side" (which is standard), the attacker must be one hop away. Otherwise, the routers between the two systems would not know how to route the packet and simply drop it. This one hop rule will kill most attacks (but not all!) without further effort on your part.
Finally, this attack can be filtered by a firewall quite easily. Don't allow packets from the wrong interface through to that port. Or, if you are using a private address range, all packets with a destination to the private address range get dropped.
Re:CUPS is still the best solution (Score:2)
However, this idea is a useful and easy tool to make things a little more secure, especially if you are on a private lan. For completeness, it should be mentioned that xinetd , sendmail, apache, and most well writen daemons support this mechanism. See the bind(2) manpage, basically you provide the source address to be something specific besides INADDR_ANY.
Re:CUPS is still the best solution (Score:1)
Mac Users OK (Score:5, Informative)
Re:Mac Users OK (Score:2)
If it was present, will Apple release fixes for those, or just force everyone to buy the 10.2 upgrade?
Re:Mac Users OK (Score:2, Informative)
Re:Mac Users OK (Score:2)
No forcing, no extra cost, the patch was released at the same time as the vulnerability announced, got anything else you wanna try and pick on?
good thing... (Score:2)
"Affected Systems:
Mac OS X 10.2 - Mac OS X 10.2.2
Mac OS X Server 10.2 - Mac OS X Server 10.2.2
Mitigating Factors: The described vulnerability can be remotely exploited only when Printer Sharing is enabled.
Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.
Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3" (released today)
Whew! (Score:3, Funny)
Re:Whew! (Score:1)
CUPS simply kicks ass. You obviously haven't seen how powerful it is. CUPS on a Mac OS X laptop absolutely kicks the dingo's ass.
I can go home and select print. None of the inherent bullshit problems with "Point and Print" or any other crap. I plug in at work and viola, I have a printer available. CUPS has pushed *nix printing far ahead of the Microsoft "printing" that (by the way) still hasn't gained sway in the print world (where computer printing is your lifeline).
And if you're mom's machine really needed it updated, why not SSH into it and do it for her? That's the power you get with a true network OS.
Re:Whew! (Score:3, Interesting)
But have you seen KDE's print menu/system?? It works directly with cups and is actually easier to use than even MS's printer installer.
KDE 3.1 improved things even more, and now the whole system is very sweet. Give it a try.
Derek
Re:Whew! (Score:2)
Really. I could never get it to work, and ended up just telling it to use "lpr". It would fail mysteriously. Yes, I have CUPS running.
Re:Whew! (Score:3, Informative)
We take security very seriously, and as soon as something comes to our attention (either internally or externally), we release a fix ASAP. This latest advisory exposed some integer overflows (previous ones were buffer overflow/DoS only) which could be used to gain access to the (unpriviledged) "lp" account, and in one case root access (but that required a local attack or a change in the default configuration for a remote attack...
After the report we went through all of the related code as well to determine if there were any other problem spots like those reported; we found and fixed a few in the image file filters (which could only get you "lp" access anyways, one of the reasons we don't run everything as root like old LPD did...)
Security advisories like this only improve the quality and "safety" of the CUPS code, and we welcome all reviews, criticisms, etc. - user/developer feedback has been the driving force behind CUPS development.
Is it written by Microsoft (Score:1)
Re:Is it written by Microsoft (Score:2)
Lets see ... (Score:3, Funny)
OK, I'm done.
Wish Windoze security updates were this easy......
Re:Lets see ... (Score:1)
Re:Lets see ... (Score:2)
the client part of it; I never turned it on as a server, so...
Re:Lets see ... (Score:2, Informative)
I clicked, browsed slashdot a little, and in a minute or two it told me it was done.
Yah, that wasn't too hard.
Re:Lets see ... (Score:2)
To each their own. Click away.
After all, who needs to know whats running on their system or their rights as consumers.
Re:Lets see ... (Score:1)
Like, if I have a server that never needs a browser, or a GUI, I never have to worry about patches for it. That's the nice thing about having a small OS with modules, instead of tying everything together.
Of course, Windoze users wouldn't know the benefits about having highly configurable systems like that....
CUPS (Score:3, Funny)
It appears that a vulnerability has been found whereby a malicious user can covertly attach a second string to the midsection of the two originating CUPS and 'tap' into the communication between CUP "A" and CUP "B".
Furthermore, said user can attach a third CUP to the end of his/her string and receive a secondary branch off of all data vibrating bwteen the two original CUPS.
Saavy users can then vocally mimic the voice data being picked up and assume the identity of either CUP "A" or CUP "B".
Agency around the world have been placed on full alert as they scramble for a patch to this unforseen security hole!
Damn (Score:2, Funny)
I say again - damn. It a little blissful ignorance over the festive season too much to ask these days?
Re:Damn (Score:1, Insightful)
Re:Damn (Score:2)
I simply use wget to mirror the updates dir from my local RedHat mirror each night, and log the results. I grep for "saved" in the log file, and if there's anything there apart from "index.html", the script runs RPM -K *.rpm to validate the checksums, and it emails me, and says that there is a new batch of RPMs to install.
I export the updates dir over NFS, and I can mount them on all the other boxes, and update those too.
Re:Damn (Score:2)
Erm - you use Slashdot to get all your info about holes/bugs etc?
No, not at all. See - I'd left work today after spending the last couple of days just doing the "must happen this year" stuff. I got home, loaded up Slashdot looking for a bit of a diversion, and what do I see? Work! Just when I thought I'd left it behind. If Slashdot hadn't run this, I'd still be under the impression everything was OK, and that's what really matters, right? :)
For the record, I use apt with RPM to maintain a bunch of RedHat boxes. I have my own internal repository that contains some internally maintained packages, plus a nightly updated RedHat mirror. It won't take me a lot of work to roll out the fixes - I have a script to execute commands on all the remote machines via SSH - but it wouldn't really have served the humour of the message to include that, would it? It would have helped even less than this over-analysis.
I still call for the various security groups to impose a ban on vulnerability announcements between December 14 and January 14, just to give us all a bit of peace, though!
What is CUPS, you ask? (Score:2, Interesting)
I never really understood what made it better than straight up lpd. Perhaps one of you could enlighten me?
Re:What is CUPS, you ask? (Score:1)
You posted the link, print it, read it... (CUPS users should patch before printing)
Re:What is CUPS, you ask? (Score:1)
Re:What is CUPS, you ask? (Score:1)
In practical terms, it gives you decent print drivers if you don't have a Postscript printer.
The previous printing available for something like a HP 6L was crappy for something like a typical web page. I used it only as text. With CUPS, I can use the HP4 driver package and click print from Netscape and see the page nicely.
Re:What is CUPS, you ask? (Score:2, Insightful)
Re:What is CUPS, you ask? (Score:4, Informative)
I really don't know where the dependence on postscript came from in the first place, but it definitely seems that that's how everything in the Unix world wants to print. I guess it was the most obfuscated language supported by lots of printers, so it was naturally desirable to the Unix crowd :) Also AFAIK PCL came a while after it, but maybe it's just that PCL got good enough to use much later.
Re:What is CUPS, you ask? (Score:2)
A configuration file format which is distinguishable from line noise.
Daniel
something else to keep your beverage in (Score:3, Funny)
I mean what use is a CUP with a HOLE in it?
Ho Hum (Score:1)
Re:Ho Hum (Score:2)
Hmm. I like my Debian boxes. :-)
Re:Ho Hum (Score:1)
"Slew?" (Score:5, Informative)
Of those 9, only *1* of the issues could possibly be used to gain root access, and it depends entirely on the CUPS release, compiler, etc. you use, and for the exploit to work remotely you have to change the default CUPS configuration.
Issue 6 was fixed back in CUPS 1.1.15 (released in June) and is old news.
All but one issue was fixed within a few hours of the report, and the current CUPS release (1.1.18) does not have any of these vulnerabilities.
This is so dumb (Score:1, Insightful)
Re:This is so dumb (Score:1)
Re:This is so dumb (Score:1)
root (needed to bind to port 80)...
Not.. If you run nsa's selinux
Re:This is so dumb (Score:2)
Sounds like a job for systrace [umich.edu]...
Ugh!! Way too much in a holiday mode ... (Score:3, Funny)
A bug in PAPER (Score:1)
CUPS are not secure. (Score:1)
aluminum mugs secure on coasters much better and they aren't vulnerable to breaking on a tile floor should you drop one.
Oh you mean Common Unix Printing System! My mistake...in a world of lpr and lpr-ng...oh them was fighting words!! I'll never walk the plank! Never!
Huh? (Score:1, Funny)
Sounds more like a description of senior prom night
Note the dates of disclosure. A long time, eh? (Score:2)
That's almost a month and a half since the exploit was intially known, to when even the author of the package was informed; it was almost a month just for that! The general public got to know about this even later.
Maybe this is a good thing, but I wonder. Who had access to this dangerous knowledge while the rest of the world slept, unaware of their vulnerability to this. Sure, a truly secure setup wouldn't be running uncessary demons on anything important, but still...
Magic lantern, anyone?
Re:Note the dates of disclosure. A long time, eh? (Score:2)
By releasing the info about what is exploitable and how, you make a hackers life really easy.. he no longer has to go thru all the code and try 2 find an exploitable hole. Now he only has to code an exploit and he's done. Thus they decided the vendors need time to fix their software!
On the other hand, a releasing this info after a N-timeframe presures the vendors into patching their software timely.
However, your question assumes that no one could find this vunerability _before_ this company did! Ofcource this is nonsence.. a hacker couldve found this exploitable code many months ago, and as long as he doesnt make it 'to' public, chances are no one will know about it..
Never, i repeat _never_ assume your software is 100% bug free and un-exploitable! A skilled hacker can find an exploit in almost all software given enough time!
The thing to keep in mind is that a hacker is also submited to the rules of economy, the more hacking into the target is worth, the more time he is willing on finding a way in. For most common servers, the worth is not so high (plenty of targets of similar value, so pick out the easy one..) For banks and alike, this doesn
t different ofcource
Worst scenarios gain root privileges? (Score:2)
The worst they can do is what ever they want to do, if they get root access. Say it like it is. An attacker can execute arbitrary code, get complete control over the machine. Security issues shouldn't be sugar coated like that.
Where is Linux-Mandrake??? (Score:1, Troll)
I am seriously looking at paying my money and getting the newest version of Libranet. I am enjoying Mandrake 9 now but am getting very tired of waiting for packages getting onto urpmi. It took Linux-Mandrake two weeks to fix Samba, and that was a pretty important update.
Re:Where is Linux-Mandrake??? (Score:3, Insightful)
If you're using OSS, you need to be able to work it, not just sit there and whine for updates.
OSS only for the techno-elite? (Score:1)
Hey, what a great argument, I'll remember that the next time someone asks me if they should switch to Linux. "No, Linux is only for those who know how to program."
Re:OSS only for the techno-elite? (Score:1)
Last Post! (Score:1)
particular are much to difficult for people that think in IBMese, compounded
with sloppy english.
-- Edsger Dijkstra
- this post brought to you by the Automated Last Post Generator...
Re:Secure? You wish. (Score:2, Insightful)
People don't move to open source software because there are more lazy people in the world. Well, I'll stick to *NIX.
Plus, instead of having to hire a small amount of people to go through and try to find such large amounts of bugs (Windows), you get every programmer across the globe to look (those who know about your project of course) for free (open source).
Re:Am I Affected? (Score:2, Interesting)
Then I read the first line, and it was crystal
Funny, but I don't see 80% of the people posting in support of the crap posing as software coming out of Redmond.And you--you've got to be AC to admit to using that shit, don't you?
Re:Am I Affected? (Score:2, Insightful)
One of my colleaques altered an NDS group which whacked printing for about 150 people. They took away all of his rights because of that.
Re:I found CUPS to be quite secure (Score:1, Funny)
They should put a warning on Linux and Unix in general that says, "If you are an idiot, don't even think about installing this. This is meant for people who have half a mind, and actually understand what they want from their computer."
Go back to buying sub-par point-and-print bullshit.
Re:I found CUPS to be quite secure (Score:2, Insightful)
Re:Bugs not found by accident (Score:2, Insightful)
> So these dangerous exploits were found by a source code review (as opposed to a script kiddy striking it lucky), which was only possible due to the open source nature of CUPS.
"Script kiddie striking it lucky"? Last I checked, script kiddies don't discover security holes. The let other people do that then download working exploits and once in a while one of them is simple enough to be operated without a brain.
> Now that this advisory has taught hackers how to compromise a great many lunix machines
Read the advisory. There's just the mention of the vulnerablity, no published exploit. Overlap the group of people capable of understanding the vulnerability and writing an exploit for it with the group of people who would waste their time doing so, and you're left with a very small number.
> isn't it worth considering that CUPs would have been so much more secure had it been a closed source project? It's simple logic that only the most blatant troll could disagree with; source closed --> exploits never found --> hackers can't exploit CUPs.
Reverse engineering? Cracking a machine that contain the source code? Intercepting communications between developers? Security through obscurity doesn't work, period. I can go on for days about that, but there are people far more articulate than I who would be happy to do so.