CVE-2013-6891

Name of the Vulnerable Software and Affected Versions CUPS versions prior to 1.7.1

Description The issue allows local users to read portions of arbitrary files through a modified HOME environment variable and a symlink attack involving the .cups/client.conf file. This occurs when the software is run with setuid privileges.

Recommendations For versions prior to 1.7.1, update to version 1.7.1 or later to resolve the issue. As a temporary workaround, consider restricting the execution of lppasswd with setuid privileges to minimize the risk of exploitation. Avoid using a modified HOME environment variable that could be used in a symlink attack involving the .cups/client.conf file until the issue is resolved.