Security update for CUPS
SUSE Security Update: Security update for CUPS
This update fixes various issues in CUPS.
*
CVE-2014-3537 CVE-2014-5029 CVE-2014-5030 CVE-2014-5031: Various
insufficient symbolic link checking could lead to privilege escalation
from the lp user to root.
*
Similar to that, this update hardens various permissions of CUPS,
which could have been used by users allowed to administrate the CUPS
Server to escalate privileges to "root".
*
CVE-2012-5519: The patch adds better default protection against
misuse of privileges by normal users who have been specifically allowed by
root to do cupsd configuration changes
The new ConfigurationChangeRestriction cupsd.conf directive
specifies the level of restriction for cupsd.conf changes that happen via
HTTP/IPP requests to the running cupsd (e.g. via CUPS web interface
or via the cupsctl command).
By default certain cupsd.conf directives that deal with filenames,
paths, and users can no longer be changed via requests to the running
cupsd but only by manual editing the cupsd.conf file and its default file
permissions permit only root to write the cupsd.conf file.
Those directives are: ConfigurationChangeRestriction, AccessLog,
BrowseLDAPCACertFile, CacheDir, ConfigFilePerm, DataDir, DocumentRoot,
ErrorLog, FileDevice, FontPath, Group, LogFilePerm, PageLog, Printcap,
PrintcapFormat, PrintcapGUI, RemoteRoot, RequestRoot, ServerBin,
ServerCertificate, ServerKey, ServerRoot, StateDir, SystemGroup,
SystemGroupAuthKey, TempDir, User.
The default group of users who are allowed to do cupsd configuration
changes via requests to the running cupsd (i.e. the SystemGroup directive
in cupsd.conf) is set to 'root' only.
Additional bugfixes:
*
A trailing "@REALM" is stripped from the username for Kerberos
authentication (CUPS STR#3972 bnc#827109).
*
The hardcoded printing delay of 5 seconds for the "socket" backend
conditional only on Mac OS X which is the only platform that needs it
(CUPS STR#3495 bnc#802408).
Security Issues:
* CVE-2014-3537
* CVE-2012-5519
| Announcement ID: | SUSE-SU-2014:1023-1 |
| Rating: | low |
| References: | #789566 #802408 #827109 #887240 |
| Affected Products: |
An update that solves one vulnerability and has three fixes is now available.
Description:
This update fixes various issues in CUPS.
*
CVE-2014-3537 CVE-2014-5029 CVE-2014-5030 CVE-2014-5031: Various
insufficient symbolic link checking could lead to privilege escalation
from the lp user to root.
*
Similar to that, this update hardens various permissions of CUPS,
which could have been used by users allowed to administrate the CUPS
Server to escalate privileges to "root".
*
CVE-2012-5519: The patch adds better default protection against
misuse of privileges by normal users who have been specifically allowed by
root to do cupsd configuration changes
The new ConfigurationChangeRestriction cupsd.conf directive
specifies the level of restriction for cupsd.conf changes that happen via
HTTP/IPP requests to the running cupsd (e.g. via CUPS web interface
or via the cupsctl command).
By default certain cupsd.conf directives that deal with filenames,
paths, and users can no longer be changed via requests to the running
cupsd but only by manual editing the cupsd.conf file and its default file
permissions permit only root to write the cupsd.conf file.
Those directives are: ConfigurationChangeRestriction, AccessLog,
BrowseLDAPCACertFile, CacheDir, ConfigFilePerm, DataDir, DocumentRoot,
ErrorLog, FileDevice, FontPath, Group, LogFilePerm, PageLog, Printcap,
PrintcapFormat, PrintcapGUI, RemoteRoot, RequestRoot, ServerBin,
ServerCertificate, ServerKey, ServerRoot, StateDir, SystemGroup,
SystemGroupAuthKey, TempDir, User.
The default group of users who are allowed to do cupsd configuration
changes via requests to the running cupsd (i.e. the SystemGroup directive
in cupsd.conf) is set to 'root' only.
Additional bugfixes:
*
A trailing "@REALM" is stripped from the username for Kerberos
authentication (CUPS STR#3972 bnc#827109).
*
The hardcoded printing delay of 5 seconds for the "socket" backend
conditional only on Mac OS X which is the only platform that needs it
(CUPS STR#3495 bnc#802408).
Security Issues:
* CVE-2014-3537
* CVE-2012-5519
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-cups-9560
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):
- cups-1.3.9-8.46.52.2
- cups-client-1.3.9-8.46.52.2
- cups-libs-1.3.9-8.46.52.2
- SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64):
- cups-libs-32bit-1.3.9-8.46.52.2
References:
- http://support.novell.com/security/cve/CVE-2014-3537.html
- https://bugzilla.novell.com/789566
- https://bugzilla.novell.com/802408
- https://bugzilla.novell.com/827109
- https://bugzilla.novell.com/887240
- http://download.suse.com/patch/finder/?keywords=9fa4ff390778044cbd28b976bb279a78