PublicDateAtUSN: 2014-07-29
Candidate: CVE-2014-5030
PublicDate: 2014-07-29 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030
 http://seclists.org/oss-sec/2014/q3/209
 https://ubuntu.com/security/notices/USN-2341-1
Description:
 CUPS before 2.0 allows local users to read arbitrary files via a symlink
 attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5)
 index.pyc, or (6) index.py.
Ubuntu-Description:
Notes:
 mdeslaur> The patch below introduces a regression preventing the web
 mdeslaur> interface from being able to read log files. (See comments in
 mdeslaur> bug 4455.)
Bugs:
 https://cups.org/str.php?L4455
 https://cups.org/str.php?L4461
Priority: medium
Discovered-by: Salvatore Bonaccorso
Assigned-to: mdeslaur
CVSS: 

Patches_cups:
 upstream: https://cups.org/strfiles.php/3371/str4455-1.7.patch
upstream_cups: released (1.7.4-5)
lucid_cups: released (1.4.3-1ubuntu1.13)
precise_cups: released (1.5.3-0ubuntu8.5)
trusty_cups: released (1.7.2-0ubuntu1.2)
trusty/esm_cups: DNE (trusty was released [1.7.2-0ubuntu1.2])
devel_cups: not-affected (1.7.5-1)