Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 501198 (CVE-2013-6891)

Summary: <net-print/cups-1.7.1: Symlink attack (CVE-2013-6891)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: printing
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 437654    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2014-02-13 15:24:40 UTC
CVE-2013-6891 (
  lppasswd in CUPS before 1.7.1, when running with setuid privileges, allows
  local users to read portions of arbitrary files via a modified HOME
  environment variable and a symlink attack involving .cups/client.conf.

@maintainers: Please CC arches when ready to stable.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2014-02-13 15:46:37 UTC
Please stabilize net-print/cups-1.7.1

Target: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2014-02-13 15:52:50 UTC
Note that this needs to go togehter with / depends on bug 437654, since cups-1.7.1 depends on cups-filters-1.0.43
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-13 16:04:47 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-02-16 07:08:42 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-02-16 07:08:56 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-02-16 12:08:40 UTC
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-02-20 14:23:31 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-02-22 07:31:25 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-02-22 07:36:02 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-02-22 07:38:51 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-02-22 07:41:03 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Sergey Popov gentoo-dev 2014-02-24 21:46:45 UTC
Thanks for your work

GLSA vote: no
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-03-27 11:26:05 UTC
GLSA vote: no.

Closing as [noglsa].