USN-906-1: CUPS vulnerabilities

3 March 2010

cups, cupsys vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software Description

  • cups
  • cupsys


It was discovered that the CUPS scheduler did not properly handle certain network operations. A remote attacker could exploit this flaw and cause the CUPS server to crash, resulting in a denial of service. This issue only affected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10. (CVE-2009-3553, CVE-2010-0302)

Ronald Volgers discovered that the CUPS lppasswd tool could be made to load localized message strings from arbitrary files by setting an environment variable. A local attacker could exploit this with a format-string vulnerability leading to a root privilege escalation. The default compiler options for Ubuntu 8.10, 9.04 and 9.10 should reduce this vulnerability to a denial of service. (CVE-2010-0393)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
cups - 1.4.1-5ubuntu2.4
cups-client - 1.4.1-5ubuntu2.4
Ubuntu 9.04
cups - 1.3.9-17ubuntu3.6
cups-client - 1.3.9-17ubuntu3.6
Ubuntu 8.10
cups - 1.3.9-2ubuntu9.5
cups-client - 1.3.9-2ubuntu9.5
Ubuntu 8.04 LTS
cupsys - 1.3.7-1ubuntu3.8
cupsys-client - 1.3.7-1ubuntu3.8
Ubuntu 6.06 LTS
cupsys - 1.2.2-0ubuntu0.6.06.17
cupsys-client - 1.2.2-0ubuntu0.6.06.17

To update your system, please follow these instructions:

In general, a standard system upgrade is sufficient to effect the necessary changes.