Skip to navigation

Security Advisory Important: cups security update

Advisory: RHSA-2010:0811-1
Type: Security Advisory
Severity: Important
Issued on: 2010-10-28
Last updated on: 2010-10-28
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2010-2431
CVE-2010-2941

Details

Updated cups packages that fix two security issues are now available for
Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The Common UNIX Printing System (CUPS) provides a portable printing layer
for UNIX operating systems.

A use-after-free flaw was found in the way the CUPS server parsed Internet
Printing Protocol (IPP) packets. A malicious user able to send IPP requests
to the CUPS server could use this flaw to crash the CUPS server or,
potentially, execute arbitrary code with the privileges of the CUPS server.
(CVE-2010-2941)

A possible privilege escalation flaw was found in CUPS. An unprivileged
process running as the "lp" user (such as a compromised external filter
program spawned by the CUPS server) could trick the CUPS server into
overwriting arbitrary files as the root user. (CVE-2010-2431)

Red Hat would like to thank Emmanuel Bouillon of NATO C3 Agency for
reporting the CVE-2010-2941 issue.

Users of cups are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the cupsd daemon will be restarted automatically.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
cups-1.3.7-18.el5_5.8.src.rpm
File outdated by:  RHSA-2013:0580
    MD5: ebe6a569bb7ad5c55bdef834aeb6024d
SHA-256: 1e3f48e96e8a2e6a9e33ea23ed89a4bb83da31fd494fce428e7918ad2f039a7b
 
IA-32:
cups-devel-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 56b922f3c1c185980b11da56cbc045bc
SHA-256: 7d97f4bead2b9cd812a9d1dae6cf5237232dc8a9f806509df34d2c4c583e8cc8
 
x86_64:
cups-devel-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 56b922f3c1c185980b11da56cbc045bc
SHA-256: 7d97f4bead2b9cd812a9d1dae6cf5237232dc8a9f806509df34d2c4c583e8cc8
cups-devel-1.3.7-18.el5_5.8.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: d72dffc9afd2e23fc95e75d89f4f57ca
SHA-256: 7a49e1f900efe935ec9e6277c1c633a31ae028d3d9baeb548611705435df7e4f
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
cups-1.3.7-18.el5_5.8.src.rpm
File outdated by:  RHSA-2013:0580
    MD5: ebe6a569bb7ad5c55bdef834aeb6024d
SHA-256: 1e3f48e96e8a2e6a9e33ea23ed89a4bb83da31fd494fce428e7918ad2f039a7b
 
IA-32:
cups-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: a10235bcc0c9b0e4a62e54526508834d
SHA-256: fcac284ba8187cd1f86d279f8d3403a02e5c383d29a8963278ae2ff6967b2934
cups-devel-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 56b922f3c1c185980b11da56cbc045bc
SHA-256: 7d97f4bead2b9cd812a9d1dae6cf5237232dc8a9f806509df34d2c4c583e8cc8
cups-libs-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: d42d75a6b5afaf995f47939a99d3e8f2
SHA-256: d96d089d493be6414925c386515c29bf75daaebf3b2555e0126443c4d9abf496
cups-lpd-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 5722baf919132a9b073c54f52c6c16cf
SHA-256: d83c29d370b9a9e5ebe45385670d83a775f397963c1f8f60555661db9f2e8b80
 
IA-64:
cups-1.3.7-18.el5_5.8.ia64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 07c1e40a11e378ecfe2d50264efa313e
SHA-256: df18805b0641e89d20a25a1bf94b3d4265bc5cd7065564cb580dd4ddcc4851b9
cups-devel-1.3.7-18.el5_5.8.ia64.rpm
File outdated by:  RHSA-2013:0580
    MD5: ea9724d5b6998dd26e452d4050f33bc6
SHA-256: 0780a03670821b43262316509f49fc7d53ce17fb2eea16548b547c75a875fda8
cups-libs-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: d42d75a6b5afaf995f47939a99d3e8f2
SHA-256: d96d089d493be6414925c386515c29bf75daaebf3b2555e0126443c4d9abf496
cups-libs-1.3.7-18.el5_5.8.ia64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 2607002626f6419196d5534e3c1f085f
SHA-256: 40413d91d5be92dfa43ea2bd749c7f9337753b6a6a9a4f2f239614ce643b8547
cups-lpd-1.3.7-18.el5_5.8.ia64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 970c3bab49f0a8fc5cfb282eb9e07635
SHA-256: 9e5fd5e85623fda504ebf400989c41ec312bc40977be22f319bc253e79ca55cc
 
PPC:
cups-1.3.7-18.el5_5.8.ppc.rpm
File outdated by:  RHSA-2013:0580
    MD5: d4dd0ce7560c007f43e5f2c80346ceee
SHA-256: 554dc238410954850735df726642ecc752716fd0b77d43148e8e296d8a4f7ad6
cups-devel-1.3.7-18.el5_5.8.ppc.rpm
File outdated by:  RHSA-2013:0580
    MD5: afa1781f0eeb3b61022b98b9d71d7cc9
SHA-256: efc876be9ced7b3d8dcc7cd8347655af07f61ecca0b5f60a035be3432906ddae
cups-devel-1.3.7-18.el5_5.8.ppc64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 51cf7e0aa32eab29a47ecc92ade44f9c
SHA-256: 6b8327dfcd6405780218f28bf87c99f4df321b269e0a020ce681a973474ccfb9
cups-libs-1.3.7-18.el5_5.8.ppc.rpm
File outdated by:  RHSA-2013:0580
    MD5: 14b2446503741c62230de33f9740793b
SHA-256: 7ac5337d23ee98c56bfcdd82721228ca49d30c0c69f19a5d444c2b4e6428adc9
cups-libs-1.3.7-18.el5_5.8.ppc64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 1813d17e44d644ecfba4150052d319a8
SHA-256: 11b63234ba63ff5cdb6cdeb9e70eed5c1d97dfb166b60b4c98a80456911ecfb7
cups-lpd-1.3.7-18.el5_5.8.ppc.rpm
File outdated by:  RHSA-2013:0580
    MD5: cdcf06f8fc2ede799ba4892dae2c33dc
SHA-256: 2bd66a6ae4378bc1fa77d633acba973c90e1b7f52366ca55b06b37fe6c90a1dd
 
s390x:
cups-1.3.7-18.el5_5.8.s390x.rpm
File outdated by:  RHSA-2013:0580
    MD5: 06da901668b5793bbf43ea17cc4b28fb
SHA-256: 1e97549e03d7be14b3fd57fd503115420921fca5050e62fcaf398a99f3a9b38a
cups-devel-1.3.7-18.el5_5.8.s390.rpm
File outdated by:  RHSA-2013:0580
    MD5: 2036fbb129acbabdeefb5aeb1d34bbf6
SHA-256: 58f31c7c2b7296bafd611e9ca5f18797dfdfae858a5cab7016c247d5a97cc7bf
cups-devel-1.3.7-18.el5_5.8.s390x.rpm
File outdated by:  RHSA-2013:0580
    MD5: cbed7fcce516a346b9d6ce0db8993eeb
SHA-256: 249a3f1ebeb2d25e223f16101baf69db7c3bae88f19352a3fbdcaafe3a918089
cups-libs-1.3.7-18.el5_5.8.s390.rpm
File outdated by:  RHSA-2013:0580
    MD5: f95954ffaac16b76b22227e421ecd9f0
SHA-256: 7fa93a4bfed255f2ede4b820055f0913ed423fb0dd187aab79154d7f2e65e48b
cups-libs-1.3.7-18.el5_5.8.s390x.rpm
File outdated by:  RHSA-2013:0580
    MD5: eef1cba5c60804ccfdaa293f834e0353
SHA-256: de91eb726d3e399d0884feedde2a3cb9e827fc5765f9f8a95f54462f360aff3c
cups-lpd-1.3.7-18.el5_5.8.s390x.rpm
File outdated by:  RHSA-2013:0580
    MD5: 127b4237837377ee8df110413c84efdc
SHA-256: ed0a59b329253aa37f2b885a6a6a0b51a41ce16658b1634bbe1302905a25a4ed
 
x86_64:
cups-1.3.7-18.el5_5.8.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: c9c3629aed2c2e052ca73c297a275403
SHA-256: 5452ff99f3ddf15519fecb62dbefe687954169f310bf58688789e48041db5a5e
cups-devel-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 56b922f3c1c185980b11da56cbc045bc
SHA-256: 7d97f4bead2b9cd812a9d1dae6cf5237232dc8a9f806509df34d2c4c583e8cc8
cups-devel-1.3.7-18.el5_5.8.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: d72dffc9afd2e23fc95e75d89f4f57ca
SHA-256: 7a49e1f900efe935ec9e6277c1c633a31ae028d3d9baeb548611705435df7e4f
cups-libs-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: d42d75a6b5afaf995f47939a99d3e8f2
SHA-256: d96d089d493be6414925c386515c29bf75daaebf3b2555e0126443c4d9abf496
cups-libs-1.3.7-18.el5_5.8.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 5fff204b48c4dffa031db3854c16b3c2
SHA-256: 038070d1af030f96eee6c30e700cdc6fbbfa71e893c0781c98d26850aa298029
cups-lpd-1.3.7-18.el5_5.8.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: da4553c91865e1ad43926a5dd118f838
SHA-256: 37a5bcbfa0594b40d40c5dfc0fad40b9363e10ed62f07fdc420b4af5456b6677
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
cups-1.3.7-18.el5_5.8.src.rpm
File outdated by:  RHSA-2013:0580
    MD5: ebe6a569bb7ad5c55bdef834aeb6024d
SHA-256: 1e3f48e96e8a2e6a9e33ea23ed89a4bb83da31fd494fce428e7918ad2f039a7b
 
IA-32:
cups-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: a10235bcc0c9b0e4a62e54526508834d
SHA-256: fcac284ba8187cd1f86d279f8d3403a02e5c383d29a8963278ae2ff6967b2934
cups-libs-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: d42d75a6b5afaf995f47939a99d3e8f2
SHA-256: d96d089d493be6414925c386515c29bf75daaebf3b2555e0126443c4d9abf496
cups-lpd-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 5722baf919132a9b073c54f52c6c16cf
SHA-256: d83c29d370b9a9e5ebe45385670d83a775f397963c1f8f60555661db9f2e8b80
 
x86_64:
cups-1.3.7-18.el5_5.8.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: c9c3629aed2c2e052ca73c297a275403
SHA-256: 5452ff99f3ddf15519fecb62dbefe687954169f310bf58688789e48041db5a5e
cups-libs-1.3.7-18.el5_5.8.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: d42d75a6b5afaf995f47939a99d3e8f2
SHA-256: d96d089d493be6414925c386515c29bf75daaebf3b2555e0126443c4d9abf496
cups-libs-1.3.7-18.el5_5.8.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 5fff204b48c4dffa031db3854c16b3c2
SHA-256: 038070d1af030f96eee6c30e700cdc6fbbfa71e893c0781c98d26850aa298029
cups-lpd-1.3.7-18.el5_5.8.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: da4553c91865e1ad43926a5dd118f838
SHA-256: 37a5bcbfa0594b40d40c5dfc0fad40b9363e10ed62f07fdc420b4af5456b6677
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

605397 - CVE-2010-2431 cups: latent privilege escalation vulnerability
624438 - CVE-2010-2941 cups: cupsd memory corruption vulnerability


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/