Advisories ยป MGASA-2014-0313

Updated cups packages fix security vulnerability

Publication date: 05 Aug 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3537 , CVE-2014-5029 , CVE-2014-5030 , CVE-2014-5031

Description

In CUPS before 1.7.4, a local user with privileges of group=lp can write
symbolic links in the rss directory and use that to gain '@SYSTEM' group
privilege with cupsd (CVE-2014-3537).

It was discovered that the web interface in CUPS incorrectly validated
permissions on rss files and directory index files. A local attacker could
possibly use this issue to bypass file permissions and read arbitrary files,
possibly leading to a privilege escalation (CVE-2014-5029, CVE-2014-5030,
CVE-2014-5031).
                

References

SRPMS

4/core

3/core