Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2015:1041-1

Опубликовано: 10 июн. 2015
Источник: suse-cvrf

Описание

Security update for cups

The following issues are fixed by this update:

  • CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208).
  • CVE-2015-1158: Improper Update of Reference Count
  • CVE-2015-1159: Cross-Site Scripting

Список пакетов

SUSE Linux Enterprise Desktop 12
cups-1.7.5-9.1
cups-client-1.7.5-9.1
cups-libs-1.7.5-9.1
cups-libs-32bit-1.7.5-9.1
SUSE Linux Enterprise Server 12
cups-1.7.5-9.1
cups-client-1.7.5-9.1
cups-libs-1.7.5-9.1
cups-libs-32bit-1.7.5-9.1
SUSE Linux Enterprise Server for SAP Applications 12
cups-1.7.5-9.1
cups-client-1.7.5-9.1
cups-libs-1.7.5-9.1
cups-libs-32bit-1.7.5-9.1
SUSE Linux Enterprise Software Development Kit 12
cups-devel-1.7.5-9.1

Ссылки

Описание

CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface.

Затронутые продукты
SUSE Linux Enterprise Desktop 12:cups-1.7.5-9.1
SUSE Linux Enterprise Desktop 12:cups-client-1.7.5-9.1
SUSE Linux Enterprise Desktop 12:cups-libs-1.7.5-9.1
SUSE Linux Enterprise Desktop 12:cups-libs-32bit-1.7.5-9.1
Ссылки

Описание

The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.

Затронутые продукты
SUSE Linux Enterprise Desktop 12:cups-1.7.5-9.1
SUSE Linux Enterprise Desktop 12:cups-client-1.7.5-9.1
SUSE Linux Enterprise Desktop 12:cups-libs-1.7.5-9.1
SUSE Linux Enterprise Desktop 12:cups-libs-32bit-1.7.5-9.1
Ссылки

Описание

Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.

Затронутые продукты
SUSE Linux Enterprise Desktop 12:cups-1.7.5-9.1
SUSE Linux Enterprise Desktop 12:cups-client-1.7.5-9.1
SUSE Linux Enterprise Desktop 12:cups-libs-1.7.5-9.1
SUSE Linux Enterprise Desktop 12:cups-libs-32bit-1.7.5-9.1
Ссылки