CVE-2013-6891

Published: 31 December 2013

lppasswd in CUPS before 1.7.1, when running with setuid privileges, allows local users to read portions of arbitrary files via a modified HOME environment variable and a symlink attack involving .cups/client.conf.

Priority

Status

Package	Release	Status
cups Launchpad, Ubuntu, Debian	lucid	Not vulnerable (code not present)
	precise	Not vulnerable (code not present)
	quantal	Released (1.6.1-0ubuntu11.5)
	raring	Released (1.6.2-1ubuntu8)
	saucy	Released (1.7.0~rc1-0ubuntu5.2)
	upstream	Released (1.7.1-1)

References

https://ubuntu.com/security/notices/USN-2082-1
https://www.cve.org/CVERecord?id=CVE-2013-6891
NVD
Launchpad
Debian

Bugs

https://www.cups.org/str.php?L4319

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›