Your submission was sent successfully! Close

CVE-2015-1158

Published: 9 June 2015

The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.

Priority

High

Status

Package Release Status
cups
Launchpad, Ubuntu, Debian
precise
Released (1.5.3-0ubuntu8.7)
trusty Does not exist
(trusty was released [1.7.2-0ubuntu1.6])
upstream Needs triage

utopic
Released (1.7.5-3ubuntu3.2)
vivid
Released (2.0.2-1ubuntu3.1)