| Summary: | cups new security issues CVE-2014-3537, CVE-2014-5029, and CVE-2014-503[01] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | mageia, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/606069/ | ||
| Whiteboard: | MGA3TOO MGA3-32-OK MGA4-32-OK advisory | ||
| Source RPM: | cups-1.7.0-7.1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-07-22 16:47:24 CEST
David Walser
2014-07-22 16:47:34 CEST
Whiteboard:
(none) =>
MGA3TOO CVEs were allocated on July 22 for more security issues fixed upstream: http://openwall.com/lists/oss-security/2014/07/22/13 LWN reference for CVE-2014-5029 and CVE-2014-503[01]: http://lwn.net/Vulnerabilities/606882/ Debian has issued an advisory for this on July 27: https://www.debian.org/security/2014/dsa-2990 Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated cups packages fix security vulnerabilities: In CUPS before 1.7.4, a local user with privileges of group=lp can write symbolic links in the rss directory and use that to gain '@SYSTEM' group privilege with cupsd (CVE-2014-3537). It was discovered that the web interface in CUPS incorrectly validated permissions on rss files and directory index files. A local attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation (CVE-2014-5029, CVE-2014-5030, CVE-2014-5031). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031 https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html https://www.debian.org/security/2014/dsa-2990 ======================== Updated packages in core/updates_testing: ======================== cups-1.5.4-9.4.mga3 cups-common-1.5.4-9.4.mga3 libcups2-1.5.4-9.4.mga3 libcups2-devel-1.5.4-9.4.mga3 cups-serial-1.5.4-9.4.mga3 php-cups-1.5.4-9.4.mga3 cups-1.7.0-7.3.mga4 cups-common-1.7.0-7.3.mga4 libcups2-devel-1.7.0-7.3.mga4 libcups2-1.7.0-7.3.mga4 cups-filesystem-1.7.0-7.3.mga4 from SRPMS: cups-1.5.4-9.4.mga3.src.rpm cups-1.7.0-7.3.mga4.src.rpm Summary:
cups new security issue CVE-2014-3537 =>
cups new security issues CVE-2014-3537, CVE-2014-5029, and CVE-2014-503[01] Validating this. See the discussion in the QA meeting: http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30 Note that Debian and Fedora have both already built updates with these patches, which come from upstream. Also, CUPS 1.7.5 has been released containing these same fixes. The advisory still needs to be uploaded. Please push this to core/updates for Mageia 3 and Mageia 4. Keywords:
(none) =>
validated_update Advisory uploaded. CC:
(none) =>
remi Installs fine on Mageia 4 32bit. Whiteboard:
MGA3TOO advisory =>
MGA3TOO MGA4-32-OK advisory Made sure it installs in Mageia 3 32bit. Whiteboard:
MGA3TOO MGA4-32-OK advisory =>
MGA3TOO MGA3-32-OK MGA4-32-OK advisory Update pushed. http://advisories.mageia.org/MGASA-2014-0313.html Status:
NEW =>
RESOLVED |