Fedora has issued an advisory on July 16: https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html The issue is fixed upstream in 1.7.4 (already in Cauldron). Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated cups packages fix security vulnerability: In CUPS before 1.7.4, a local user with privileges of group=lp can write symbolic links in the rss directory and use that to gain '@SYSTEM' group privilege with cupsd (CVE-2014-3537). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537 https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html ======================== Updated packages in core/updates_testing: ======================== cups-1.5.4-9.3.mga3 cups-common-1.5.4-9.3.mga3 libcups2-1.5.4-9.3.mga3 libcups2-devel-1.5.4-9.3.mga3 cups-serial-1.5.4-9.3.mga3 php-cups-1.5.4-9.3.mga3 cups-1.7.0-7.2.mga4 cups-common-1.7.0-7.2.mga4 libcups2-devel-1.7.0-7.2.mga4 libcups2-1.7.0-7.2.mga4 cups-filesystem-1.7.0-7.2.mga4 from SRPMS: cups-1.5.4-9.3.mga3.src.rpm cups-1.7.0-7.2.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
CVEs were allocated on July 22 for more security issues fixed upstream: http://openwall.com/lists/oss-security/2014/07/22/13 LWN reference for CVE-2014-5029 and CVE-2014-503[01]: http://lwn.net/Vulnerabilities/606882/ Debian has issued an advisory for this on July 27: https://www.debian.org/security/2014/dsa-2990 Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated cups packages fix security vulnerabilities: In CUPS before 1.7.4, a local user with privileges of group=lp can write symbolic links in the rss directory and use that to gain '@SYSTEM' group privilege with cupsd (CVE-2014-3537). It was discovered that the web interface in CUPS incorrectly validated permissions on rss files and directory index files. A local attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation (CVE-2014-5029, CVE-2014-5030, CVE-2014-5031). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031 https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html https://www.debian.org/security/2014/dsa-2990 ======================== Updated packages in core/updates_testing: ======================== cups-1.5.4-9.4.mga3 cups-common-1.5.4-9.4.mga3 libcups2-1.5.4-9.4.mga3 libcups2-devel-1.5.4-9.4.mga3 cups-serial-1.5.4-9.4.mga3 php-cups-1.5.4-9.4.mga3 cups-1.7.0-7.3.mga4 cups-common-1.7.0-7.3.mga4 libcups2-devel-1.7.0-7.3.mga4 libcups2-1.7.0-7.3.mga4 cups-filesystem-1.7.0-7.3.mga4 from SRPMS: cups-1.5.4-9.4.mga3.src.rpm cups-1.7.0-7.3.mga4.src.rpm
Summary: cups new security issue CVE-2014-3537 => cups new security issues CVE-2014-3537, CVE-2014-5029, and CVE-2014-503[01]
Validating this. See the discussion in the QA meeting: http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30 Note that Debian and Fedora have both already built updates with these patches, which come from upstream. Also, CUPS 1.7.5 has been released containing these same fixes. The advisory still needs to be uploaded. Please push this to core/updates for Mageia 3 and Mageia 4.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO advisory
Installs fine on Mageia 4 32bit.
Whiteboard: MGA3TOO advisory => MGA3TOO MGA4-32-OK advisory
Made sure it installs in Mageia 3 32bit.
Whiteboard: MGA3TOO MGA4-32-OK advisory => MGA3TOO MGA3-32-OK MGA4-32-OK advisory
Update pushed. http://advisories.mageia.org/MGASA-2014-0313.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED