USN-906-1: CUPS vulnerabilities

Releases

• Ubuntu 9.10
• Ubuntu 9.04
• Ubuntu 8.10
• Ubuntu 8.04
• Ubuntu 6.06

Packages

• cups -
• cupsys -

Details

It was discovered that the CUPS scheduler did not properly handle certain
network operations. A remote attacker could exploit this flaw and cause the
CUPS server to crash, resulting in a denial of service. This issue only
affected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10. (CVE-2009-3553,
CVE-2010-0302)

Ronald Volgers discovered that the CUPS lppasswd tool could be made to load
localized message strings from arbitrary files by setting an environment
variable. A local attacker could exploit this with a format-string
vulnerability leading to a root privilege escalation. The default compiler
options for Ubuntu 8.10, 9.04 and 9.10 should reduce this vulnerability to
a denial of service. (CVE-2010-0393)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10

• cups - 1.4.1-5ubuntu2.4
• cups-client - 1.4.1-5ubuntu2.4

Ubuntu 9.04

• cups - 1.3.9-17ubuntu3.6
• cups-client - 1.3.9-17ubuntu3.6

Ubuntu 8.10

• cups - 1.3.9-2ubuntu9.5
• cups-client - 1.3.9-2ubuntu9.5

Ubuntu 8.04

• cupsys-client - 1.3.7-1ubuntu3.8
• cupsys - 1.3.7-1ubuntu3.8

Ubuntu 6.06

• cupsys-client - 1.2.2-0ubuntu0.6.06.17
• cupsys - 1.2.2-0ubuntu0.6.06.17

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

• CVE-2009-3553
• CVE-2010-0302
• CVE-2010-0393