Package name
cups
Date
2010-11-15
Advisory ID
MDVSA-2010:233
Affected versions
2010.1 i586 , 2010.1 x86_64

Problem description

Multiple vulnerabilities were discovered and corrected in cups:

Cross-site request forgery (CSRF) vulnerability in the web interface
in CUPS, allows remote attackers to hijack the authentication of
administrators for requests that change settings (CVE-2010-0540).

ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate
memory for attribute values with invalid string data types, which
allows remote attackers to cause a denial of service (use-after-free
and application crash) or possibly execute arbitrary code via a
crafted IPP request (CVE-2010-2941).

The updated packages have been patched to correct these issues.

Updated packages

2010.1 i586

 7fbee630091cb99d2834714907f2393d  2010.1/i586/cups-1.4.3-3.1mdv2010.1.i586.rpm
 c1adbe5e8ff86437afe814439f3add02  2010.1/i586/cups-common-1.4.3-3.1mdv2010.1.i586.rpm
 c4ad750ae348fe75f7dd83d628f54304  2010.1/i586/cups-serial-1.4.3-3.1mdv2010.1.i586.rpm
 e3fa7994f2c8674d24adee01b8343157  2010.1/i586/libcups2-1.4.3-3.1mdv2010.1.i586.rpm
 3f26b3903ee56bd7f0a61abc03348433  2010.1/i586/libcups2-devel-1.4.3-3.1mdv2010.1.i586.rpm
 84c29bf867015a4fbaefa5e2cb7113ac  2010.1/i586/php-cups-1.4.3-3.1mdv2010.1.i586.rpm 
 df703f53ef8294b56b6339fd7cd98c4f  2010.1/SRPMS/cups-1.4.3-3.1mdv2010.1.src.rpm

2010.1 x86_64

 f51ac980b70b96bfe48575a60a88f47c  2010.1/x86_64/cups-1.4.3-3.1mdv2010.1.x86_64.rpm
 c047a2e90beb9f334f2da4277c15d872  2010.1/x86_64/cups-common-1.4.3-3.1mdv2010.1.x86_64.rpm
 ab9573477e232a9cf54dd3ed40b9a9f6  2010.1/x86_64/cups-serial-1.4.3-3.1mdv2010.1.x86_64.rpm
 f96a93e27da3a9142e70c72a18f7494c  2010.1/x86_64/lib64cups2-1.4.3-3.1mdv2010.1.x86_64.rpm
 326b6774348b3c41b4ed911808d58492  2010.1/x86_64/lib64cups2-devel-1.4.3-3.1mdv2010.1.x86_64.rpm
 6e5178b97282ac7c7849cbeba67a06ac  2010.1/x86_64/php-cups-1.4.3-3.1mdv2010.1.x86_64.rpm 
 df703f53ef8294b56b6339fd7cd98c4f  2010.1/SRPMS/cups-1.4.3-3.1mdv2010.1.src.rpm

References