[gentoo-announce] [ GLSA 201207-10 ] CUPS: Multiple vulnerabilities - gentoo-announce

From:	Sean Amoss <ackle@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201207-10 ] CUPS: Multiple vulnerabilities
Date:	Tue, 10 Jul 2012 00:00:00
Message-Id:	`4FFB6E97.3050001@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201207-10

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: CUPS: Multiple vulnerabilities

9

     Date: July 09, 2012

10

     Bugs: #295256, #308045, #325551, #380771

11

       ID: 201207-10

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in CUPS, some of which may

19

allow execution of arbitrary code or local privilege escalation.

20

21

Background

22

==========

23

24

CUPS, the Common Unix Printing System, is a full-featured print server.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  net-print/cups              < 1.4.8-r1               >= 1.4.8-r1

33

34

Description

35

===========

36

37

Multiple vulnerabilities have been discovered in CUPS. Please review

38

the CVE identifiers referenced below for details.

39

40

Impact

41

======

42

43

A remote attacker may be able to execute arbitrary code using specially

44

crafted streams, IPP requests or files, or cause a Denial of Service

45

(daemon crash or hang). A local attacker may be able to gain escalated

46

privileges or overwrite arbitrary files. Furthermore, a remote attacker

47

may be able to obtain sensitive information from the CUPS process or

48

hijack a CUPS administrator authentication request.

49

50

Workaround

51

==========

52

53

There is no known workaround at this time.

54

55

Resolution

56

==========

57

58

All CUPS users should upgrade to the latest version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=net-print/cups-1.4.8-r1"

62

63

NOTE: This is a legacy GLSA. Updates for all affected architectures are

64

available since September 03, 2011. It is likely that your system is

65

already no longer affected by this issue.

66

67

References

68

==========

69

70

[  1 ] CVE-2009-3553

71

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3553

72

[  2 ] CVE-2010-0302

73

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0302

74

[  3 ] CVE-2010-0393

75

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0393

76

[  4 ] CVE-2010-0540

77

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0540

78

[  5 ] CVE-2010-0542

79

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0542

80

[  6 ] CVE-2010-1748

81

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1748

82

[  7 ] CVE-2010-2431

83

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2431

84

[  8 ] CVE-2010-2432

85

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2432

86

[  9 ] CVE-2010-2941

87

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2941

88

[ 10 ] CVE-2011-3170

89

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170

90

91

Availability

92

============

93

94

This GLSA and any updates to it are available for viewing at

95

the Gentoo Security Website:

96

97

 http://security.gentoo.org/glsa/glsa-201207-10.xml

98

99

Concerns?

100

=========

101

102

Security is a primary focus of Gentoo Linux and ensuring the

103

confidentiality and security of our users' machines is of utmost

104

importance to us. Any security concerns should be addressed to

105

security@g.o or alternatively, you may file a bug at

106

https://bugs.gentoo.org.

107

108

License

109

=======

110

111

Copyright 2012 Gentoo Foundation, Inc; referenced text

112

belongs to its owner(s).

113

114

The contents of this document are licensed under the

115

Creative Commons - Attribution / Share Alike license.

116

117

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201207-10
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: CUPS: Multiple vulnerabilities
9	Date: July 09, 2012
10	Bugs: #295256, #308045, #325551, #380771
11	ID: 201207-10
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in CUPS, some of which may
19	allow execution of arbitrary code or local privilege escalation.
20
21	Background
22	==========
23
24	CUPS, the Common Unix Printing System, is a full-featured print server.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-print/cups < 1.4.8-r1 >= 1.4.8-r1
33
34	Description
35	===========
36
37	Multiple vulnerabilities have been discovered in CUPS. Please review
38	the CVE identifiers referenced below for details.
39
40	Impact
41	======
42
43	A remote attacker may be able to execute arbitrary code using specially
44	crafted streams, IPP requests or files, or cause a Denial of Service
45	(daemon crash or hang). A local attacker may be able to gain escalated
46	privileges or overwrite arbitrary files. Furthermore, a remote attacker
47	may be able to obtain sensitive information from the CUPS process or
48	hijack a CUPS administrator authentication request.
49
50	Workaround
51	==========
52
53	There is no known workaround at this time.
54
55	Resolution
56	==========
57
58	All CUPS users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=net-print/cups-1.4.8-r1"
62
63	NOTE: This is a legacy GLSA. Updates for all affected architectures are
64	available since September 03, 2011. It is likely that your system is
65	already no longer affected by this issue.
66
67	References
68	==========
69
70	[ 1 ] CVE-2009-3553
71	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3553
72	[ 2 ] CVE-2010-0302
73	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0302
74	[ 3 ] CVE-2010-0393
75	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0393
76	[ 4 ] CVE-2010-0540
77	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0540
78	[ 5 ] CVE-2010-0542
79	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0542
80	[ 6 ] CVE-2010-1748
81	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1748
82	[ 7 ] CVE-2010-2431
83	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2431
84	[ 8 ] CVE-2010-2432
85	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2432
86	[ 9 ] CVE-2010-2941
87	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2941
88	[ 10 ] CVE-2011-3170
89	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170
90
91	Availability
92	============
93
94	This GLSA and any updates to it are available for viewing at
95	the Gentoo Security Website:
96
97	http://security.gentoo.org/glsa/glsa-201207-10.xml
98
99	Concerns?
100	=========
101
102	Security is a primary focus of Gentoo Linux and ensuring the
103	confidentiality and security of our users' machines is of utmost
104	importance to us. Any security concerns should be addressed to
105	security@g.o or alternatively, you may file a bug at
106	https://bugs.gentoo.org.
107
108	License
109	=======
110
111	Copyright 2012 Gentoo Foundation, Inc; referenced text
112	belongs to its owner(s).
113
114	The contents of this document are licensed under the
115	Creative Commons - Attribution / Share Alike license.
116
117	http://creativecommons.org/licenses/by-sa/2.5