CVE-2014-3537
Published: 17 July 2014
The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/.
Notes
Author | Note |
---|---|
jdstrand | per upstream, requires web interface to be enabled |
mdeslaur | patch in 1.7.4 is slightly different than the one in the bug |
Priority
Status
Package | Release | Status |
---|---|---|
cups Launchpad, Ubuntu, Debian |
upstream |
Released
(1.7.4-1)
|
lucid |
Released
(1.4.3-1ubuntu1.12)
|
|
precise |
Released
(1.5.3-0ubuntu8.4)
|
|
trusty |
Does not exist
(trusty was released [1.7.2-0ubuntu1.1])
|
|
Patches: upstream: https://www.cups.org/strfiles.php/3363/str4450.patch |