Secunia

Three vulnerabilities have been reported in CUPS, which can be exploited by malicious users to manipulate certain files, cause a DoS (Denial of Service), or compromise a vulnerable system.

1) A boundary error in the "ParseCommand()" function within the hpgltops filter can be exploited to cause a buffer overflow by printing a specially crafted HPGL file.

Successful exploitation allows execution of arbitrary code with the privileges of the "lp" account.

The vulnerability has been reported in version 1.1.22. Prior versions may also be affected.

2) Various errors in lppasswd when editing the "/usr/local/etc/cups/passwd" file can be exploited to truncate the file, potentially write a user-controlled error message to it, or disable lppasswd.

The vulnerability has been reported in version 1.1.22. Prior versions may also be affected.

3) An error within the handling of certain paths in the "is_path_absolute()" function in "scheduler/client.c" can be exploited to cause the application to become unresponsive via a specially crafted HTTP GET request.

The vulnerability has been reported in versions 1.1.21 through 1.1.23rc1.

Solution
Update to version 1.1.23.

Provided and/or discovered by
1) Ariel Berkman
2) Bartlomiej Sieka
3) kmuto

Changelog
Further details available in Customer Area

Original Advisory
CUPS:
http://www.cups.org/str.php?L1023
http://www.cups.org/str.php?L1024
http://www.cups.org/str.php?L1042

Ariel Berkman:
http://tigger.uic.edu/~jlongs2/holes/cups.txt

Bartlomiej Sieka:
http://tigger.uic.edu/~jlongs2/holes/cups2.txt

Deep Links
Links available in Customer Area