CVE-2014-3537

Priority
Medium
Description
The web interface in CUPS before 1.7.4 allows local users in the lp group
to read arbitrary files via a symlink attack on a file in
/var/cache/cups/rss/.
References
Bugs
Notes
jdstrand> per upstream, requires web interface to be enabled
mdeslaur> patch in 1.7.4 is slightly different than the one in the bug
Assigned-to
mdeslaur
Package
Source: cups (LP Ubuntu Debian)
Upstream:released (1.7.4-1)
Ubuntu 10.04 LTS (Lucid Lynx):released (1.4.3-1ubuntu1.12)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.5.3-0ubuntu8.4)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.7.2-0ubuntu1.1)
Ubuntu 14.10 (Utopic Unicorn):not-affected (1.7.4-1)
Patches:
Upstream:https://www.cups.org/strfiles.php/3363/str4450.patch
More Information

Valid XHTML 1.0 Strict

Updated: 2014-07-23 19:14:33 UTC (commit 8271)