CVE-2014-5029

Name of the Vulnerable Software and Affected Versions CUPS version 1.7.4

Description The issue allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ by setting the language[0] variable to null. This is due to an incomplete fix for a previous issue. Multiple vulnerabilities in the CUPS package of the Debian GNU/Linux operating system can lead to a breach of protected information, and exploitation can be done remotely.

Recommendations For CUPS version 1.7.4, consider restricting access to the /var/cache/cups/rss/ directory to prevent symlink attacks, and avoid setting the language[0] variable to null to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.