8.40. cups

Security Fixes

CVE-2014-2856

A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface.

CVE-2014-3537CVE-2014-5029CVE-2014-5030CVE-2014-5031

It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the lp group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system.

Bug Fixes

BZ#769292

When the system was suspended during polling a configured BrowsePoll server, resuming the system left the cups-polld process awaiting a response even though the connection had been dropped causing discovered printers to disappear. Now, an HTTP timeout is used so the request can be retried. As a result, printers that use BrowsePoll now remain available in the described scenario.

BZ#852846

A problem with HTTP multipart handling in the CUPS scheduler caused some browsers to not work correctly when attempting to add a printer using the web interface. This has been fixed by applying a patch from a later version, and all browsers now work as expected when adding printers.

BZ#855431

When a discovered remote queue was determined to no longer be available, the local queue was deleted. A logic error in the CUPS scheduler caused problems in this situation when there was a job queued for such a destination. This bug has been fixed so that jobs are not started for removed queues.

BZ#884851

CUPS maintains a cache of frequently used string values. Previously, when a returned string value was modified, the cache lost its consistency, which led to increased memory usage. Instances where this happened have been corrected to treat the returned values as read-only.

BZ#971079

A missing check has been added, preventing the scheduler from terminating when logging a message about not being able to determine a job's file type.

BZ#978387

A fix for incorrect handling of collection attributes in the Internet Printing Protocol (IPP) version 2.0 replies has been applied.

BZ#984883

The CUPS scheduler did not use the fsync() function when modifying its state files, such as printers.conf, which could lead to truncated CUPS configuration files in the event of power loss. A new cupsd.conf directive, SyncOnClose, has been added to enable the use of fsync() on such files. The directive is enabled by default.

BZ#986495

The default environment variables for jobs were set before the CUPS configuration file was read, leading to the SetEnv directive in the cupsd.conf file having no effect. The variables are now set after reading the configuration, and SetEnv works correctly.

BZ#988598

Older versions of the RPM Package Manager (RPM) were unable to build the cups packages due to a newer syntax being used in the spec file. More portable syntax is now used, allowing older versions to build CUPS as expected.

BZ#1011076

A spelling typo in one of the example options for the cupsctl command has been fixed in the cupsctl(8) man page.

BZ#1012482

The cron script shipped with CUPS had incorrect permissions, allowing world-readability on the script. This file is now given permissions “0700”, removing group- and world-readability permissions.

BZ#1040293

The Generic Security Services (GSS) credentials were cached under certain circumstances. This behavior is incorrect because sending the cached copy could result in a denial due to an apparent “replay” attack. A patch has been applied to prevent replaying the GSS credentials.

BZ#1104483

A logic error in the code handling the web interface made it not possible to change the Make and Model field for a queue in the web interface. A patch has been applied to fix this bug and the field can now be changed as expected.

BZ#1110045

The CUPS scheduler did not check whether the client connection had data available to read before reading. This behavior led to a 10 second timeout in some instances. The scheduler now checks for data availability before reading, avoiding the timeout.

BZ#1120419

The Common Gateway Interface (CGI) scripts were not executed correctly by the CUPS scheduler, causing requests to such scripts to fail. Parameter handling for the CGI scripts has been fixed by applying a patch and the scripts can now be executed properly.