Security update for cups SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:1056-1 Final 1 1 2015-06-10T13:19:50Z current 2015-06-10T13:19:50Z 2015-06-10T13:19:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cups This update fixes the following issues: - CVE-2015-1158 and CVE-2015-1159 fixes a possible privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158 CVE-2015-1159 bugzilla.suse.com bsc#924208). In general it is crucial to limit access to CUPS to trustworthy users who do not misuse their permission to submit print jobs which means to upload arbitrary data onto the CUPS server, see https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings and cf. the entries about CVE-2012-5519 below. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html E-Mail link for openSUSE-SU-2015:1056-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings cups-1.5.4-12.20.1 cups-client-1.5.4-12.20.1 cups-ddk-1.5.4-12.20.1 cups-devel-1.5.4-12.20.1 cups-libs-1.5.4-12.20.1 cups-libs-32bit-1.5.4-12.20.1 CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface. CVE-2012-5519 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html https://www.suse.com/security/cve/CVE-2012-5519.html CVE-2012-5519 https://bugzilla.suse.com/1180148 SUSE Bug 1180148 https://bugzilla.suse.com/789566 SUSE Bug 789566 https://bugzilla.suse.com/882905 SUSE Bug 882905 https://bugzilla.suse.com/924208 SUSE Bug 924208 The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code. CVE-2015-1158 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html https://www.suse.com/security/cve/CVE-2015-1158.html CVE-2015-1158 https://bugzilla.suse.com/924208 SUSE Bug 924208 https://bugzilla.suse.com/976653 SUSE Bug 976653 Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/. CVE-2015-1159 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html https://www.suse.com/security/cve/CVE-2015-1159.html CVE-2015-1159 https://bugzilla.suse.com/924208 SUSE Bug 924208 https://bugzilla.suse.com/976653 SUSE Bug 976653