Bug 35402

Summary: cups: Multiple issues (3.2)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED DUPLICATE QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P4 CC: requate, walkenhorst
Version: UCS 3.2Flags: requate: Patch_Available+
Target Milestone: UCS 3.2-8-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 37267, 43591    

Description Moritz Muehlenhoff univentionstaff 2014-07-17 15:59:50 CEST 
CVE-2014-2856: Cross-site scripting in the we interface
Comment 1 Moritz Muehlenhoff univentionstaff 2014-07-23 10:28:14 CEST 
(In reply to Moritz Muehlenhoff from comment #0)
> CVE-2014-2856: Cross-site scripting in the web interface

The original upstream fix was incomplete; three additional CVE IDs have been assigned: CVE-2014-5031 CVE-2014-5030 CVE-2014-5029
Comment 2 Arvid Requate univentionstaff 2015-02-16 17:22:34 CET 
CVE-2014-9679: buffer overflow in cupsRasterReadPixels
Comment 3 Moritz Muehlenhoff univentionstaff 2015-02-17 07:24:38 CET 
CVE-2014-3537

Cups features a built-in RSS mechanism to notify users of the print scheduler status. The CUPS web server serves requests to any URL starting with "/rss" with the respecitive file below /var/cache/cups/rss/. This directory is writable by the group "sys" and the CUPS web server follows symlinks, i.e. it would be possible to symlink to e.g. /etc/machine.secret.

The impact on UCS is rather low: "sys" is a local group and empty by default.
Comment 4 Moritz Muehlenhoff univentionstaff 2015-02-17 07:24:53 CET 
*** Bug 35357 has been marked as a duplicate of this bug. ***
Comment 5 Arvid Requate univentionstaff 2015-05-06 17:12:15 CEST 
Fixed in upstream Debian package version 1.4.4-7+squeeze7
Comment 6 Arvid Requate univentionstaff 2015-06-17 16:28:49 CEST 
Fixed in upstream Debian package version 1.4.4-7+squeeze8:

* Improper Update of Reference Count (CVE-2015-1158)
* Cross-Site Scripting (CVE-2015-1159)
Comment 7 Arvid Requate univentionstaff 2016-06-08 22:07:41 CEST 

*** This bug has been marked as a duplicate of bug 39401 ***
Comment 8 Felix Botner univentionstaff 2016-06-16 10:39:00 CEST 
OK