보안 정보 / 2018 / 보안 정보 -- DSA-4243-1 cups

데비안 보안 권고

DSA-4243-1 cups -- 보안 업데이트

보고일:

2018년 07월 11일

영향 받는 패키지:

cups

위험성:

예

보안 데이터베이스 참조:

Mitre의 CVE 사전: CVE-2017-15400, CVE-2018-4180, CVE-2018-4181, CVE-2018-6553.

추가 정보:

여러 취약점을 CUPS에서 발견했습니다. 이러한 이슈는 다음 CVE ID로 식별되었습니다:

• CVE-2017-15400

  Rory McNamara discovered that an attacker is able to execute arbitrary commands (with the privilege of the CUPS daemon) by setting a malicious IPP server with a crafted PPD file.

• CVE-2018-4180

  Dan Bastone of Gotham Digital Science discovered that a local attacker with access to cupsctl could escalate privileges by setting an environment variable.

• CVE-2018-4181

  Eric Rafaloff and John Dunlap of Gotham Digital Science discovered that a local attacker can perform limited reads of arbitrary files as root by manipulating cupsd.conf.

• CVE-2018-4182

  Dan Bastone of Gotham Digital Science discovered that an attacker with sandboxed root access can execute backends without a sandbox profile by provoking an error in CUPS' profile creation.

• CVE-2018-4183

  Dan Bastone and Eric Rafaloff of Gotham Digital Science discovered that an attacker with sandboxed root access can execute arbitrary commands as unsandboxed root by modifying /etc/cups/cups-files.conf

• CVE-2018-6553

  Dan Bastone of Gotham Digital Science discovered that an attacker can bypass the AppArmor cupsd sandbox by invoking the dnssd backend using an alternate name that has been hard linked to dnssd.

안정 배포(stretch)에서, 이 문제는 2.2.1-8+deb9u2 버전에서 수정했습니다.

cups 패키지를 업그레이드 하는 게 좋습니다.

cusp의 자세한 보안 상태는 보안 추적 페이지를 참조하십시오: https://security-tracker.debian.org/tracker/cups