RHEL 3 : cups (RHSA-2004:543)

critical Nessus Plugin ID 15630

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

Updated cups packages that fix denial of service issues, a security information leak, as well as other various bugs are now available.

The Common UNIX Printing System (CUPS) is a print spooler.

During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect xpdf. CUPS contains a copy of the xpdf code used for parsing PDF files and is therefore affected by these bugs. An attacker who has the ability to send a malicious PDF file to a printer could cause CUPS to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0888 to this issue.

When set up to print to a shared printer via Samba, CUPS would authenticate with that shared printer using a username and password.
By default, the username and password used to connect to the Samba share is written into the error log file. A local user who is able to read the error log file could collect these usernames and passwords.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0923 to this issue.

These updated packages also include a fix that prevents some CUPS configuration files from being accidentally replaced.

All users of CUPS should upgrade to these updated packages, which resolve these issues.

Solution

Update the affected cups, cups-devel and / or cups-libs packages.

See Also

https://access.redhat.com/security/cve/cve-2004-0888

https://access.redhat.com/security/cve/cve-2004-0923

https://access.redhat.com/errata/RHSA-2004:543

Plugin Details

Severity: Critical

ID: 15630

File Name: redhat-RHSA-2004-543.nasl

Version: 1.27

Type: local

Agent: unix

Published: 11/4/2004

Updated: 1/14/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:cups, p-cpe:/a:redhat:enterprise_linux:cups-devel, p-cpe:/a:redhat:enterprise_linux:cups-libs, cpe:/o:redhat:enterprise_linux:3

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 10/22/2004

Vulnerability Publication Date: 1/27/2005

Reference Information

CVE: CVE-2004-0888, CVE-2004-0923

RHSA: 2004:543