Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 517938 (CVE-2014-5029) - <net-print/cups-1.7.4: Incomplete fix for CVE-2014-3537 (CVE-2014-{5029,5030,5031})
Summary: <net-print/cups-1.7.4: Incomplete fix for CVE-2014-3537 (CVE-2014-{5029,5030,...
Status: RESOLVED FIXED
Alias: CVE-2014-5029
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-24 07:58 UTC by Agostino Sarubbo
Modified: 2015-04-22 21:18 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-07-24 07:58:10 UTC 
From ${URL} :

It was reported [1] that a fix for CVE-2014-3537 [2] is not complete.
In some cases privilege escalation is still possible [3].
Upstream patches are available at [3] as well.

[1]: http://seclists.org/oss-sec/2014/q3/209
[2]: http://www.cups.org/str.php?L4450
[3]: https://cups.org/str.php?L4455


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-07-30 03:48:00 UTC 
CVE-2014-5029 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5029):
  The web interface in CUPS 1.7.4 allows local users in the lp group to read
  arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and
  language[0] set to null.  NOTE: this vulnerability exists because of an
  incomplete fix for CVE-2014-3537.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-07-30 03:51:26 UTC 
CVE-2014-5031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5031):
  The web interface in CUPS before 2.0 does not check that files have
  world-readable permissions, which allows remote attackers to obtains
  sensitive information via unspecified vectors.

CVE-2014-5030 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5030):
  CUPS before 2.0 allows local users to read arbitrary files via a symlink
  attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5)
  index.pyc, or (6) index.py.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-07-30 03:58:03 UTC 
Sorry for the noise this actually has 3 CVE's assigned to it.

This is fixed in CUPS 1.7.4
Security: The web interface incorrectly served symlinked files and files that were not world-readable, potentially leading to a disclosure of information (STR #4450)

Maintainer(s): after the bump please let us know when the ebuild is ready for  stabilization.
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2014-09-06 19:02:47 UTC 
(In reply to Yury German from comment #3)
> Sorry for the noise this actually has 3 CVE's assigned to it.
> 
> This is fixed in CUPS 1.7.4
> Security: The web interface incorrectly served symlinked files and files
> that were not world-readable, potentially leading to a disclosure of
> information (STR #4450)
> 
> Maintainer(s): after the bump please let us know when the ebuild is ready
> for  stabilization.

Let's go for cups-1.7.5 (another bug squashed there) instead, see bug 519792
Comment 5 Matthias Maier gentoo-dev 2014-10-18 23:11:24 UTC 
The lowest awailable version (and also currently stable version) in the tree is now 1.7.5.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2014-11-04 00:22:17 UTC 
All affected ebuilds are long gone from the tree. Printing out.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-11-04 08:04:32 UTC 
GLSA vote: no.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 21:18:04 UTC 
GLSA Vote: No