Lucene search

K
redhatRedHatRHSA-2012:0302
HistoryFeb 21, 2012 - 12:00 a.m.

(RHSA-2012:0302) Low: cups security and bug fix update

2012-02-2100:00:00
access.redhat.com
11

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.019 Low

EPSS

Percentile

87.2%

The Common UNIX Printing System (CUPS) provides a portable printing layer
for Linux, UNIX, and similar operating systems.

A heap-based buffer overflow flaw was found in the Lempel-Ziv-Welch (LZW)
decompression algorithm implementation used by the CUPS GIF image format
reader. An attacker could create a malicious GIF image file that, when
printed, could possibly cause CUPS to crash or, potentially, execute
arbitrary code with the privileges of the “lp” user. (CVE-2011-2896)

This update also fixes the following bugs:

  • Prior to this update, the “Show Completed Jobs,” “Show All Jobs,” and
    “Show Active Jobs” buttons returned results globally across all printers
    and not the results for the specified printer. With this update, jobs from
    only the selected printer are shown. (BZ#625900)

  • Prior to this update, the code of the serial backend contained a wrong
    condition. As a consequence, print jobs on the raw print queue could not be
    canceled. This update modifies the condition in the serial backend code.
    Now, the user can cancel these print jobs. (BZ#625955)

  • Prior to this update, the textonly filter did not work if used as a pipe,
    for example when the command line did not specify the filename and the
    number of copies was always 1. This update modifies the condition in the
    textonly filter. Now, the data are sent to the printer regardless of the
    number of copies specified. (BZ#660518)

  • Prior to this update, the file descriptor count increased until it ran
    out of resources when the cups daemon was running with enabled
    Security-Enhanced Linux (SELinux) features. With this update, all resources
    are allocated only once. (BZ#668009)

  • Prior to this update, CUPS incorrectly handled the en_US.ASCII value for
    the LANG environment variable. As a consequence, the lpadmin, lpstat, and
    lpinfo binaries failed to write to standard output if using LANG with the
    value. This update fixes the handling of the en_US.ASCII value and the
    binaries now write to standard output properly. (BZ#759081)

All users of cups are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues. After installing this
update, the cupsd daemon will be restarted automatically.

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.019 Low

EPSS

Percentile

87.2%

Related for RHSA-2012:0302