Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2014-5029

The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537.

Related bugs and status

CVE-2014-5029 (Candidate) is related to these bugs:

Bug #1349387: server settings are inaccessible

		In	Importance	Status
1349387	server settings are inaccessible	cups (Ubuntu)	Undecided	Fix Released
1349387	server settings are inaccessible	cups (Ubuntu Utopic)	Undecided	Fix Released
1349387	server settings are inaccessible	cups (Ubuntu Trusty)	Undecided	Fix Released
1349387	server settings are inaccessible	cups (Ubuntu Lucid)	Undecided	Fix Released
1349387	server settings are inaccessible	cups (Ubuntu Precise)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2014072...
MLIST: [oss-security] 2014072...
CONFIRM: https://cups.org/str.p...
DEBIAN: DSA-2990
SECUNIA: 60509
REDHAT: RHSA-2014:1388
UBUNTU: USN-2341-1
CONFIRM: http://advisories.mage...
MANDRIVA: MDVSA-2015:108
SECUNIA: 60787