SUSE-SU-2014:1023-1: Security update for CUPS

sle-updates at sle-updates at
Thu Aug 14 17:04:39 MDT 2014

   SUSE Security Update: Security update for CUPS

Announcement ID:    SUSE-SU-2014:1023-1
Rating:             low
References:         #789566 #802408 #827109 #887240 
Cross-References:   CVE-2014-3537
Affected Products:
                    SUSE Linux Enterprise Server 11 SP1 LTSS

   An update that solves one vulnerability and has three fixes
   is now available.


   This update fixes various issues in CUPS.


         CVE-2014-3537 CVE-2014-5029 CVE-2014-5030 CVE-2014-5031: Various
   insufficient symbolic link checking could lead to privilege escalation
   from the lp user to root.


         Similar to that, this update hardens various permissions of CUPS,
   which could have been used by users allowed to administrate the CUPS
   Server to escalate privileges to "root".


         CVE-2012-5519: The patch adds better default protection against
   misuse of privileges by normal users who have been specifically allowed by
   root to do cupsd configuration changes

         The new ConfigurationChangeRestriction cupsd.conf directive
   specifies the level of restriction for cupsd.conf changes that happen via
   HTTP/IPP requests to the running cupsd (e.g. via CUPS web interface
         or via the cupsctl command).

         By default certain cupsd.conf directives that deal with filenames,
   paths, and users can no longer be changed via requests to the running
   cupsd but only by manual editing the cupsd.conf file and its default file
   permissions permit only root to write the cupsd.conf file.

         Those directives are: ConfigurationChangeRestriction, AccessLog,
   BrowseLDAPCACertFile, CacheDir, ConfigFilePerm, DataDir, DocumentRoot,
   ErrorLog, FileDevice, FontPath, Group, LogFilePerm, PageLog, Printcap,
   PrintcapFormat, PrintcapGUI, RemoteRoot, RequestRoot, ServerBin,
   ServerCertificate, ServerKey, ServerRoot, StateDir, SystemGroup,
   SystemGroupAuthKey, TempDir, User.

         The default group of users who are allowed to do cupsd configuration
   changes via requests to the running cupsd (i.e. the SystemGroup directive
   in cupsd.conf) is set to 'root' only.

   Additional bugfixes:


         A trailing "@REALM" is stripped from the username for Kerberos
   authentication (CUPS STR#3972 bnc#827109).


         The hardcoded printing delay of 5 seconds for the "socket" backend
   conditional only on Mac OS X which is the only platform that needs it
   (CUPS STR#3495 bnc#802408).

   Security Issues:

       * CVE-2014-3537
       * CVE-2012-5519

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11 SP1 LTSS:

      zypper in -t patch slessp1-cups-9560

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):


   - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64):



More information about the sle-updates mailing list