Debian Security Advisory

DSA-1530-1 cupsys -- Several vulnerabilities

Date Reported:
25 Mar 2008
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 472105, Bug 467653.
In Mitre's CVE dictionary: CVE-2008-0047, CVE-2008-0882.
More information:

Several local/remote vulnerabilities have been discovered in cupsys, the Common Unix Printing System. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2008-0047

    Heap-based buffer overflow in CUPS, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions.

  • CVE-2008-0882

    Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly the execution of arbitrary code via crafted packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer.

For the stable distribution (etch), these problems have been fixed in version 1.2.7-4etch3.

We recommend that you upgrade your cupsys packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.