Ubuntu Security Notice USN-906-1
3rd March, 2010
cups, cupsys vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 9.10
- Ubuntu 9.04
- Ubuntu 8.10
- Ubuntu 8.04 LTS
- Ubuntu 6.06 LTS
Software description
- cups
- cupsys
Details
It was discovered that the CUPS scheduler did not properly handle certain
network operations. A remote attacker could exploit this flaw and cause the
CUPS server to crash, resulting in a denial of service. This issue only
affected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10. (CVE-2009-3553,
CVE-2010-0302)
Ronald Volgers discovered that the CUPS lppasswd tool could be made to load
localized message strings from arbitrary files by setting an environment
variable. A local attacker could exploit this with a format-string
vulnerability leading to a root privilege escalation. The default compiler
options for Ubuntu 8.10, 9.04 and 9.10 should reduce this vulnerability to
a denial of service. (CVE-2010-0393)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 9.10:
- cups 1.4.1-5ubuntu2.4
- cups-client 1.4.1-5ubuntu2.4
- Ubuntu 9.04:
- cups 1.3.9-17ubuntu3.6
- cups-client 1.3.9-17ubuntu3.6
- Ubuntu 8.10:
- cups 1.3.9-2ubuntu9.5
- cups-client 1.3.9-2ubuntu9.5
- Ubuntu 8.04 LTS:
- cupsys-client 1.3.7-1ubuntu3.8
- cupsys 1.3.7-1ubuntu3.8
- Ubuntu 6.06 LTS:
- cupsys-client 1.2.2-0ubuntu0.6.06.17
- cupsys 1.2.2-0ubuntu0.6.06.17
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system upgrade is sufficient to effect the
necessary changes.