SB2014071504 - Link following in cups (Alpine package)
Published: July 15, 2014
Security Bulletin ID
SB2014071504
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Link following (CVE-ID: CVE-2014-5029)
The vulnerability allows a local #AU# to gain access to sensitive information.
The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=e2856516886b7cf35fe1cf5be0eb646ea76ca687
- https://git.alpinelinux.org/aports/commit/?id=0dabf557b83072a583dfb8c316048783039fe34e
- https://git.alpinelinux.org/aports/commit/?id=5e32e80910a6b01861f103726c93600cbe45eac5
- https://git.alpinelinux.org/aports/commit/?id=0affba121160bd27a30e4334736f19265dca97ae
- https://git.alpinelinux.org/aports/commit/?id=9f63973f52df08430f80a8f102b0a90341a2d3cc