CVE-2008-5183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5183): cupsd in CUPS before 1.3.8 allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference. NOTE: this issue can be triggered remotely by leveraging CVE-2008-5184.
Name: CVE-2008-5184 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5184 Published: 2008-11-20 Severity: High Description: The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions. Also see: http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/
I'm going to completely remove all net-print/cups<1.3.8 from the tree now that all arches have stabilized CUPS 1.3(.8). Regarding this bug, CUPS 1.2.x possibly isn't affected by this since it didn't have a RSS option back then.
Everything which is net-print/cups<1.3.8 is now gone, net-print/cups-1.3.8-r2 is stable on all arches and I guess net-print/cups-1.3.9-r1 is going to be stabilized due to security bug #249727.
This has been covered with GLSA 200812-11, closing.
