The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of CUPS: privilege escalation via RSS

Synthesis of the vulnerability 

An attacker, member of the lp group, can create a symbolic link, and then read the RSS feed of CUPS, in order to escalate his privileges.
Impacted products: Debian, Fedora, RHEL, Ubuntu, Unix (platform) ~ not comprehensive.
Severity of this bulletin: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 22/07/2014.
Références of this threat: 4455, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031, DSA-2990-1, FEDORA-2014-8752, FEDORA-2014-9703, MDVSA-2014:151, MDVSA-2015:108, RHSA-2014:1388-02, USN-2341-1, VIGILANCE-VUL-15081.

Description of the vulnerability 

The CUPS product offers a web service, with a RSS information feed, which is impacted by vulnerability VIGILANCE-VUL-15074.

However, in the case where the language (language[0]) is not set, the patch is not efficient.

An attacker, member of the lp group, can therefore still create a symbolic link, and then read the RSS feed of CUPS, in order to escalate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness note impacts software or systems such as Debian, Fedora, RHEL, Ubuntu, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this security bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

This bulletin is about 3 vulnerabilities.

An attacker with a expert ability can exploit this weakness announce.

Solutions for this threat 

Debian: new cups packages.
New packages are available:
  Debian 7: cups 1.5.3-5+deb7u4

Fedora 19: new cups packages.
New packages are available:
  Fedora 19: cups 1.6.4-10.fc19

Fedora 20: new cups packages.
New packages are available:
  Fedora 20: cups 1.7.4-3.fc20

Mandriva BS2: new cups packages.
New packages are available:
  Mandriva BS2: cups 1.7.0-8.1.mbs2

Mandriva: new cups packages.
New packages are available:
  Mandriva BS1: cups 1.5.4-1.6.mbs1

RHEL 6: new cups packages.
New packages are available:
  RHEL 6: cups 1.4.2-67.el6

Ubuntu: new cups packages.
New packages are available:
  Ubuntu 14.04 LTS: cups 1.7.2-0ubuntu1.2
  Ubuntu 12.04 LTS: cups 1.5.3-0ubuntu8.5
  Ubuntu 10.04 LTS: cups 1.4.3-1ubuntu1.13
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an application vulnerability alert. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.