Mandriva Linux Security Advisory : cups (MDVSA-2014:151)
Medium Nessus Plugin ID 77039
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionUpdated cups packages fix security vulnerability :
In CUPS before 1.7.4, a local user with privileges of group=lp can write symbolic links in the rss directory and use that to gain '@SYSTEM' group privilege with cupsd (CVE-2014-3537).
It was discovered that the web interface in CUPS incorrectly validated permissions on rss files and directory index files. A local attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation (CVE-2014-5029, CVE-2014-5030, CVE-2014-5031).
SolutionUpdate the affected packages.