PublicDateAtUSN: 2014-07-17
Candidate: CVE-2014-3537
PublicDate: 2014-07-23 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537
 https://ubuntu.com/security/notices/USN-2293-1
Description:
 The web interface in CUPS before 1.7.4 allows local users in the lp group
 to read arbitrary files via a symlink attack on a file in
 /var/cache/cups/rss/.
Ubuntu-Description:
Notes:
 jdstrand> per upstream, requires web interface to be enabled
 mdeslaur> patch in 1.7.4 is slightly different than the one in the bug
Bugs:
 https://www.cups.org/str.php?L4450
Priority: medium
Discovered-by: Francisco Alonso
Assigned-to: mdeslaur
CVSS: 

Patches_cups:
 upstream: https://www.cups.org/strfiles.php/3363/str4450.patch
upstream_cups: released (1.7.4-1)
lucid_cups: released (1.4.3-1ubuntu1.12)
precise_cups: released (1.5.3-0ubuntu8.4)
trusty_cups: released (1.7.2-0ubuntu1.1)
trusty/esm_cups: DNE (trusty was released [1.7.2-0ubuntu1.1])
devel_cups: not-affected (1.7.4-1)