Red Hat Product Errata RHSA-2004:543 - Security Advisory
Issued:
2004-10-22
Updated:
2004-10-22

RHSA-2004:543 - Security Advisory

Synopsis

cups security update

Type/Severity

Security Advisory: Important

Topic

Updated cups packages that fix denial of service issues, a security
information leak, as well as other various bugs are now available.

Description

The Common UNIX Printing System (CUPS) is a print spooler.

During a source code audit, Chris Evans discovered a number of integer
overflow bugs that affect xpdf. CUPS contains a copy of the xpdf code used
for parsing PDF files and is therefore affected by these bugs. An attacker
who has the ability to send a malicious PDF file to a printer could cause
CUPS to crash or possibly execute arbitrary code. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0888 to this issue.

When set up to print to a shared printer via Samba, CUPS would authenticate
with that shared printer using a username and password. By default, the
username and password used to connect to the Samba share is written
into the error log file. A local user who is able to read the error log
file could collect these usernames and passwords. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0923 to this issue.

These updated packages also include a fix that prevents some CUPS
configuration files from being accidentally replaced.

All users of CUPS should upgrade to these updated packages, which
resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Affected Products

  • Red Hat Enterprise Linux Server 3 x86_64
  • Red Hat Enterprise Linux Server 3 ia64
  • Red Hat Enterprise Linux Server 3 i386
  • Red Hat Enterprise Linux Workstation 3 x86_64
  • Red Hat Enterprise Linux Workstation 3 ia64
  • Red Hat Enterprise Linux Workstation 3 i386
  • Red Hat Enterprise Linux Desktop 3 x86_64
  • Red Hat Enterprise Linux Desktop 3 i386
  • Red Hat Enterprise Linux for IBM z Systems 3 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390
  • Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

  • BZ - 99461 - cups configuration
  • BZ - 132034 - mime.types was updated - not copied to mime.types.rpmnew
  • BZ - 134599 - CAN-2004-0923 Log file information disclosure
  • BZ - 135378 - CAN-2004-0888 xpdf issues affect cups

References

(none)

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.