USN-3713-1: CUPS vulnerabilities

Releases

• Ubuntu 18.04 ESM
• Ubuntu 17.10
• Ubuntu 16.04 ESM
• Ubuntu 14.04 ESM

Packages

• cups - Common UNIX Printing System(tm)

Details

It was discovered that CUPS incorrectly handled certain print jobs with
invalid usernames. A remote attacker could possibly use this issue to cause
CUPS to crash, resulting in a denial of service. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2017-18248)

Dan Bastone discovered that the CUPS dnssd backend incorrectly handled
certain environment variables. A local attacker could possibly use this
issue to escalate privileges. (CVE-2018-4180)

Eric Rafaloff and John Dunlap discovered that CUPS incorrectly handled
certain include directives. A local attacker could possibly use this issue
to read arbitrary files. (CVE-2018-4181)

Dan Bastone discovered that the CUPS AppArmor profile incorrectly confined
the dnssd backend. A local attacker could possibly use this issue to escape
confinement. (CVE-2018-6553)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04

• cups - 2.2.7-1ubuntu2.1

Ubuntu 17.10

• cups - 2.2.4-7ubuntu3.1

Ubuntu 16.04

• cups - 2.1.3-4ubuntu0.5

Ubuntu 14.04

• cups - 1.7.2-0ubuntu1.10

In general, a standard system update will make all the necessary changes.

References

• CVE-2017-18248
• CVE-2018-4180
• CVE-2018-4181
• CVE-2018-6553