SUSE-SU-2014:1023-1: Security update for CUPS
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Aug 14 17:04:39 MDT 2014
SUSE Security Update: Security update for CUPS
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:1023-1
Rating: low
References: #789566 #802408 #827109 #887240
Cross-References: CVE-2014-3537
Affected Products:
SUSE Linux Enterprise Server 11 SP1 LTSS
______________________________________________________________________________
An update that solves one vulnerability and has three fixes
is now available.
Description:
This update fixes various issues in CUPS.
*
CVE-2014-3537 CVE-2014-5029 CVE-2014-5030 CVE-2014-5031: Various
insufficient symbolic link checking could lead to privilege escalation
from the lp user to root.
*
Similar to that, this update hardens various permissions of CUPS,
which could have been used by users allowed to administrate the CUPS
Server to escalate privileges to "root".
*
CVE-2012-5519: The patch adds better default protection against
misuse of privileges by normal users who have been specifically allowed by
root to do cupsd configuration changes
The new ConfigurationChangeRestriction cupsd.conf directive
specifies the level of restriction for cupsd.conf changes that happen via
HTTP/IPP requests to the running cupsd (e.g. via CUPS web interface
or via the cupsctl command).
By default certain cupsd.conf directives that deal with filenames,
paths, and users can no longer be changed via requests to the running
cupsd but only by manual editing the cupsd.conf file and its default file
permissions permit only root to write the cupsd.conf file.
Those directives are: ConfigurationChangeRestriction, AccessLog,
BrowseLDAPCACertFile, CacheDir, ConfigFilePerm, DataDir, DocumentRoot,
ErrorLog, FileDevice, FontPath, Group, LogFilePerm, PageLog, Printcap,
PrintcapFormat, PrintcapGUI, RemoteRoot, RequestRoot, ServerBin,
ServerCertificate, ServerKey, ServerRoot, StateDir, SystemGroup,
SystemGroupAuthKey, TempDir, User.
The default group of users who are allowed to do cupsd configuration
changes via requests to the running cupsd (i.e. the SystemGroup directive
in cupsd.conf) is set to 'root' only.
Additional bugfixes:
*
A trailing "@REALM" is stripped from the username for Kerberos
authentication (CUPS STR#3972 bnc#827109).
*
The hardcoded printing delay of 5 seconds for the "socket" backend
conditional only on Mac OS X which is the only platform that needs it
(CUPS STR#3495 bnc#802408).
Security Issues:
* CVE-2014-3537
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537>
* CVE-2012-5519
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-cups-9560
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):
cups-1.3.9-8.46.52.2
cups-client-1.3.9-8.46.52.2
cups-libs-1.3.9-8.46.52.2
- SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64):
cups-libs-32bit-1.3.9-8.46.52.2
References:
http://support.novell.com/security/cve/CVE-2014-3537.html
https://bugzilla.novell.com/789566
https://bugzilla.novell.com/802408
https://bugzilla.novell.com/827109
https://bugzilla.novell.com/887240
http://download.suse.com/patch/finder/?keywords=9fa4ff390778044cbd28b976bb279a78
More information about the sle-security-updates
mailing list