8.40. cups

Updated cups packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.

Security Fixes

CVE-2014-2856
A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface.
CVE-2014-3537CVE-2014-5029CVE-2014-5030CVE-2014-5031
It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the lp group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system.
The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat Product Security.

Bug Fixes

BZ#769292
When the system was suspended during polling a configured BrowsePoll server, resuming the system left the cups-polld process awaiting a response even though the connection had been dropped causing discovered printers to disappear. Now, an HTTP timeout is used so the request can be retried. As a result, printers that use BrowsePoll now remain available in the described scenario.
BZ#852846
A problem with HTTP multipart handling in the CUPS scheduler caused some browsers to not work correctly when attempting to add a printer using the web interface. This has been fixed by applying a patch from a later version, and all browsers now work as expected when adding printers.
BZ#855431
When a discovered remote queue was determined to no longer be available, the local queue was deleted. A logic error in the CUPS scheduler caused problems in this situation when there was a job queued for such a destination. This bug has been fixed so that jobs are not started for removed queues.
BZ#884851
CUPS maintains a cache of frequently used string values. Previously, when a returned string value was modified, the cache lost its consistency, which led to increased memory usage. Instances where this happened have been corrected to treat the returned values as read-only.
BZ#971079
A missing check has been added, preventing the scheduler from terminating when logging a message about not being able to determine a job's file type.
BZ#978387
A fix for incorrect handling of collection attributes in the Internet Printing Protocol (IPP) version 2.0 replies has been applied.
BZ#984883
The CUPS scheduler did not use the fsync() function when modifying its state files, such as printers.conf, which could lead to truncated CUPS configuration files in the event of power loss. A new cupsd.conf directive, SyncOnClose, has been added to enable the use of fsync() on such files. The directive is enabled by default.
BZ#986495
The default environment variables for jobs were set before the CUPS configuration file was read, leading to the SetEnv directive in the cupsd.conf file having no effect. The variables are now set after reading the configuration, and SetEnv works correctly.
BZ#988598
Older versions of the RPM Package Manager (RPM) were unable to build the cups packages due to a newer syntax being used in the spec file. More portable syntax is now used, allowing older versions to build CUPS as expected.
BZ#1011076
A spelling typo in one of the example options for the cupsctl command has been fixed in the cupsctl(8) man page.
BZ#1012482
The cron script shipped with CUPS had incorrect permissions, allowing world-readability on the script. This file is now given permissions 0700, removing group- and world-readability permissions.
BZ#1040293
The Generic Security Services (GSS) credentials were cached under certain circumstances. This behavior is incorrect because sending the cached copy could result in a denial due to an apparent replay attack. A patch has been applied to prevent replaying the GSS credentials.
BZ#1104483
A logic error in the code handling the web interface made it not possible to change the Make and Model field for a queue in the web interface. A patch has been applied to fix this bug and the field can now be changed as expected.
BZ#1110045
The CUPS scheduler did not check whether the client connection had data available to read before reading. This behavior led to a 10 second timeout in some instances. The scheduler now checks for data availability before reading, avoiding the timeout.
BZ#1120419
The Common Gateway Interface (CGI) scripts were not executed correctly by the CUPS scheduler, causing requests to such scripts to fail. Parameter handling for the CGI scripts has been fixed by applying a patch and the scripts can now be executed properly.
All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.