USN-952-1: CUPS vulnerabilities

21 June 2010

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

Adrian Pastor and Tim Starling discovered that the CUPS web interface
incorrectly protected against cross-site request forgery (CSRF) attacks. If
an authenticated user were tricked into visiting a malicious website while
logged into CUPS, a remote attacker could modify the CUPS configuration and
possibly steal confidential data. (CVE-2010-0540)

It was discovered that CUPS did not properly handle memory allocations in
the texttops filter. If a user or automated system were tricked into
printing a crafted text file, a remote attacker could cause a denial of
service or possibly execute arbitrary code with privileges of the CUPS user
(lp). (CVE-2010-0542)

Luca Carettoni discovered that the CUPS web interface incorrectly handled
form variables. A remote attacker who had access to the CUPS web interface
could use this flaw to read a limited amount of memory from the cupsd
process and possibly obtain confidential data. (CVE-2010-1748)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
Ubuntu 9.04
Ubuntu 8.04
Ubuntu 6.06
Ubuntu 10.04

In general, a standard system update will make all the necessary changes.