From https://bugzilla.redhat.com/show_bug.cgi?id=1128764: It was reported [1] that CUPS allow local users to read arbitrary files via symlink attack on the directory index files: index.html index.class index.pl index.php index.pyc index.py Upstream patches are available at [2] as well. [1]: http://seclists.org/oss-sec/2014/q3/209 [2]: https://cups.org/str.php?L4455 From https://bugzilla.redhat.com/show_bug.cgi?id=1128767: It was reported [1] that CUPS does not check that files have world-readable permissions, which allow to local users to obtain sensitive information. Upstream patches are available at [2] as well. [1]: http://seclists.org/oss-sec/2014/q3/209 [2]: https://cups.org/str.php?L4455 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-5030 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5030): CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py.
This is fixed in CUPS 1.7.5, which I just added to the tree. Let's wait a week and then stabilize it.
I don't see any additional bug reports coming in from the 1.7.4 -> 1.7.5 update, so let's continue. Arches please fast-stabilize net-print/cups-1.7.5 Target: all stable arches
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
ia64 stable
ppc64 stable
ppc stable
sparc stable
arm stable, all arches done.
All vulnerable versions removed. Printing out.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
GLSA vote: no. Closed as [noglsa].