{"id":"MGASA-2014-0313","summary":"Updated cups packages fix security vulnerability","details":"In CUPS before 1.7.4, a local user with privileges of group=lp can write\nsymbolic links in the rss directory and use that to gain '@SYSTEM' group\nprivilege with cupsd (CVE-2014-3537).\n\nIt was discovered that the web interface in CUPS incorrectly validated\npermissions on rss files and directory index files. A local attacker could\npossibly use this issue to bypass file permissions and read arbitrary files,\npossibly leading to a privilege escalation (CVE-2014-5029, CVE-2014-5030,\nCVE-2014-5031).\n","modified":"2026-04-16T06:23:03.775324569Z","published":"2014-08-05T20:08:48Z","upstream":["CVE-2014-3537","CVE-2014-5029","CVE-2014-5030","CVE-2014-5031"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0313.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=13783"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html"},{"type":"WEB","url":"https://www.debian.org/security/2014/dsa-2990"}],"affected":[{"package":{"name":"cups","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/cups?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.4-9.4.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0313.json"}},{"package":{"name":"cups","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/cups?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.0-7.3.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0313.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}