Security update for cups SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:1041-1 Final 1 1 2015-06-10T14:30:04Z current 2015-06-10T14:30:04Z 2015-06-10T14:30:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cups The following issues are fixed by this update: * CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208). * CVE-2015-1158: Improper Update of Reference Count * CVE-2015-1159: Cross-Site Scripting The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-2015-264,SUSE-SLE-SDK-12-2015-264,SUSE-SLE-SERVER-12-2015-264 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20151041-1/ Link for SUSE-SU-2015:1041-1 https://lists.suse.com/pipermail/sle-security-updates/2015-June/001431.html E-Mail link for SUSE-SU-2015:1041-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/924208 SUSE Bug 924208 https://www.suse.com/security/cve/CVE-2012-5519/ SUSE CVE CVE-2012-5519 page https://www.suse.com/security/cve/CVE-2015-1158/ SUSE CVE CVE-2015-1158 page https://www.suse.com/security/cve/CVE-2015-1159/ SUSE CVE CVE-2015-1159 page SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Software Development Kit 12 cups-1.7.5-9.1 cups-client-1.7.5-9.1 cups-libs-1.7.5-9.1 cups-libs-32bit-1.7.5-9.1 cups-devel-1.7.5-9.1 cups-1.7.5-9.1 as a component of SUSE Linux Enterprise Desktop 12 cups-client-1.7.5-9.1 as a component of SUSE Linux Enterprise Desktop 12 cups-libs-1.7.5-9.1 as a component of SUSE Linux Enterprise Desktop 12 cups-libs-32bit-1.7.5-9.1 as a component of SUSE Linux Enterprise Desktop 12 cups-1.7.5-9.1 as a component of SUSE Linux Enterprise Server 12 cups-client-1.7.5-9.1 as a component of SUSE Linux Enterprise Server 12 cups-libs-1.7.5-9.1 as a component of SUSE Linux Enterprise Server 12 cups-libs-32bit-1.7.5-9.1 as a component of SUSE Linux Enterprise Server 12 cups-1.7.5-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 cups-client-1.7.5-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 cups-libs-1.7.5-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 cups-libs-32bit-1.7.5-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 cups-devel-1.7.5-9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface. CVE-2012-5519 SUSE Linux Enterprise Desktop 12:cups-1.7.5-9.1 SUSE Linux Enterprise Desktop 12:cups-client-1.7.5-9.1 SUSE Linux Enterprise Desktop 12:cups-libs-1.7.5-9.1 SUSE Linux Enterprise Desktop 12:cups-libs-32bit-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-client-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-libs-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-libs-32bit-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-client-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-libs-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-libs-32bit-1.7.5-9.1 SUSE Linux Enterprise Software Development Kit 12:cups-devel-1.7.5-9.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151041-1/ https://www.suse.com/security/cve/CVE-2012-5519.html CVE-2012-5519 https://bugzilla.suse.com/1180148 SUSE Bug 1180148 https://bugzilla.suse.com/789566 SUSE Bug 789566 https://bugzilla.suse.com/882905 SUSE Bug 882905 https://bugzilla.suse.com/924208 SUSE Bug 924208 The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code. CVE-2015-1158 SUSE Linux Enterprise Desktop 12:cups-1.7.5-9.1 SUSE Linux Enterprise Desktop 12:cups-client-1.7.5-9.1 SUSE Linux Enterprise Desktop 12:cups-libs-1.7.5-9.1 SUSE Linux Enterprise Desktop 12:cups-libs-32bit-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-client-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-libs-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-libs-32bit-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-client-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-libs-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-libs-32bit-1.7.5-9.1 SUSE Linux Enterprise Software Development Kit 12:cups-devel-1.7.5-9.1 critical 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151041-1/ https://www.suse.com/security/cve/CVE-2015-1158.html CVE-2015-1158 https://bugzilla.suse.com/924208 SUSE Bug 924208 https://bugzilla.suse.com/976653 SUSE Bug 976653 Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/. CVE-2015-1159 SUSE Linux Enterprise Desktop 12:cups-1.7.5-9.1 SUSE Linux Enterprise Desktop 12:cups-client-1.7.5-9.1 SUSE Linux Enterprise Desktop 12:cups-libs-1.7.5-9.1 SUSE Linux Enterprise Desktop 12:cups-libs-32bit-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-client-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-libs-1.7.5-9.1 SUSE Linux Enterprise Server 12:cups-libs-32bit-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-client-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-libs-1.7.5-9.1 SUSE Linux Enterprise Server for SAP Applications 12:cups-libs-32bit-1.7.5-9.1 SUSE Linux Enterprise Software Development Kit 12:cups-devel-1.7.5-9.1 critical 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151041-1/ https://www.suse.com/security/cve/CVE-2015-1159.html CVE-2015-1159 https://bugzilla.suse.com/924208 SUSE Bug 924208 https://bugzilla.suse.com/976653 SUSE Bug 976653