GLSA-201404-01 : CUPS: Arbitrary file read/write

High Nessus Plugin ID 73390


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-201404-01 (CUPS: Arbitrary file read/write)

Members of the lpadmin group have admin access to the web interface, where they can edit the config file and set some “dangerous” directives (like the logfilenames), which enable them to read or write files as the user running the CUPS webserver.
Impact :

A local attacker could possibly exploit this vulnerability to read or write files as the user running the CUPS webserver.
Workaround :

There is no known workaround at this time.


All CUPS users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=net-print/cups-1.6.2-r5'

See Also

Plugin Details

Severity: High

ID: 73390

File Name: gentoo_GLSA-201404-01.nasl

Version: $Revision: 1.4 $

Type: local

Published: 2014/04/08

Modified: 2015/04/13

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:cups, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/04/07

Reference Information

CVE: CVE-2012-5519

BID: 56494

OSVDB: 87635

GLSA: 201404-01