Language and Page Formatting Options
Updated cups packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.
- A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface.
- It was discovered that CUPS allowed certain users to create symbolic links in certain directories under
/var/cache/cups/. A local user with the
lpgroup privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system.
The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat Product Security.
- When the system was suspended during polling a configured BrowsePoll server, resuming the system left the
cups-polldprocess awaiting a response even though the connection had been dropped causing discovered printers to disappear. Now, an HTTP timeout is used so the request can be retried. As a result, printers that use BrowsePoll now remain available in the described scenario.
- A problem with HTTP multipart handling in the CUPS scheduler caused some browsers to not work correctly when attempting to add a printer using the web interface. This has been fixed by applying a patch from a later version, and all browsers now work as expected when adding printers.
- When a discovered remote queue was determined to no longer be available, the local queue was deleted. A logic error in the CUPS scheduler caused problems in this situation when there was a job queued for such a destination. This bug has been fixed so that jobs are not started for removed queues.
- CUPS maintains a cache of frequently used string values. Previously, when a returned string value was modified, the cache lost its consistency, which led to increased memory usage. Instances where this happened have been corrected to treat the returned values as read-only.
- A missing check has been added, preventing the scheduler from terminating when logging a message about not being able to determine a job's file type.
- A fix for incorrect handling of collection attributes in the Internet Printing Protocol (IPP) version 2.0 replies has been applied.
- The CUPS scheduler did not use the
fsync()function when modifying its state files, such as
printers.conf, which could lead to truncated CUPS configuration files in the event of power loss. A new
SyncOnClose, has been added to enable the use of
fsync()on such files. The directive is enabled by default.
- The default environment variables for jobs were set before the CUPS configuration file was read, leading to the
SetEnvdirective in the
cupsd.conffile having no effect. The variables are now set after reading the configuration, and
- Older versions of the RPM Package Manager (RPM) were unable to build the cups packages due to a newer syntax being used in the spec file. More portable syntax is now used, allowing older versions to build CUPS as expected.
- A spelling typo in one of the example options for the
cupsctlcommand has been fixed in the
cronscript shipped with CUPS had incorrect permissions, allowing world-readability on the script. This file is now given permissions “0700”, removing group- and world-readability permissions.
- The Generic Security Services (GSS) credentials were cached under certain circumstances. This behavior is incorrect because sending the cached copy could result in a denial due to an apparent “replay” attack. A patch has been applied to prevent replaying the GSS credentials.
- A logic error in the code handling the web interface made it not possible to change the
Make and Modelfield for a queue in the web interface. A patch has been applied to fix this bug and the field can now be changed as expected.
- The CUPS scheduler did not check whether the client connection had data available to read before reading. This behavior led to a 10 second timeout in some instances. The scheduler now checks for data availability before reading, avoiding the timeout.
- The Common Gateway Interface (CGI) scripts were not executed correctly by the CUPS scheduler, causing requests to such scripts to fail. Parameter handling for the CGI scripts has been fixed by applying a patch and the scripts can now be executed properly.
All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the
cupsddaemon will be restarted automatically.