Tim Waugh

**Name of the Vulnerable Software and Affected Versions** foomatic-rip filter, all versions **Description** The issue arises when the foomatic-rip filter is used insecurely, creating temporary files to store PostScript data while the debug mode is enabled. This can be exploited by a local attacker to conduct symlink attacks, allowing them to overwrite arbitrary files accessible with the privileges of the user running the foomatic-rip universal print filter. **Recommendations** For all versions, consider disabling the debug mode to prevent the creation of temporary files that could be exploited for symlink attacks. As a temporary workaround, restrict access to the foomatic-rip filter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** foomatic-rip filter versions 4.0.12 and prior **Description** The issue allows a local attacker to conduct symlink attacks by overwriting arbitrary files accessible with the privileges of the user running the foomatic-rip universal print filter. This is possible because the foomatic-rip filter insecurely creates temporary files for storage of PostScript data when the debug mode is enabled. **Recommendations** For versions 4.0.12 and prior, consider disabling the debug mode as a temporary workaround to minimize the risk of exploitation. Restrict access to the foomatic-rip filter to minimize the risk of arbitrary file overwrites. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** HP Linux Imaging and Printing (HPLIP) versions 3.12.4 and earlier **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on temporary files, potentially leading to disruption of confidentiality, integrity, and availability of protected information. A local attacker can exploit this to cause harm. **Recommendations** For HP Linux Imaging and Printing (HPLIP) versions 3.12.4 and earlier, consider restricting access to the temporary files /tmp/hpcupsfilterc #.bmp, /tmp/hpcupsfilterk #.bmp, /tmp/hpcups job#.out, /tmp/hpijs #####.out, and /tmp/hpps job#.out to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CUPS versions 1.3.7 CUPS-devel versions 1.3.7 cups-lpd versions 1.3.7 cups-libs versions 1.3.7 **Description** The issue is related to a use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function, which can be exploited remotely to cause a denial of service, such as a daemon crash or hang. This can lead to a disruption of confidentiality, integrity, and availability of protected information. The vulnerability can be exploited when kqueue or epoll is used, and it is related to improperly maintaining a reference count. **Recommendations** For CUPS versions 1.3.7, update to version 1.4.4 or later to resolve the issue. For CUPS-devel versions 1.3.7, update to version 1.4.4 or later to resolve the issue. For cups-lpd versions 1.3.7, update to version 1.4.4 or later to resolve the issue. For cups-libs versions 1.3.7, update to version 1.4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CUPS versions 1.3.7 through 1.3.10 **Description** The issue is related to a use-after-free vulnerability in the abstract file-descriptor handling interface in the `cupsdDoSelect` function. This vulnerability allows remote attackers to cause a denial of service, resulting in a daemon crash or hang, by disconnecting during the listing of a large number of print jobs. The problem is caused by improperly maintaining a reference count. **Recommendations** For versions 1.3.7 and 1.3.10, consider disabling the `cupsdDoSelect` function as a temporary workaround until a patch is available. Restrict access to the scheduler in cupsd to minimize the risk of exploitation. Avoid using the affected interface during the listing of print jobs until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CUPS versions 1.2.2, 1.3.7, 1.3.9, and 1.4.1 libcups2 (affected versions not specified) libcups2-dev (affected versions not specified) libcupsimage2 (affected versions not specified) libcupsimage2-dev (affected versions not specified) libcupsys2 (affected versions not specified) libcupsys2-dev (affected versions not specified) cups-common (affected versions not specified) cups-client (affected versions not specified) cups-bsd (affected versions not specified) cups-dbg (affected versions not specified) cupsys (affected versions not specified) cupsys-client (affected versions not specified) cupsys-common (affected versions not specified) cupsys-bsd (affected versions not specified) cupsys-dbg (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the CUPS package and its related components in the Debian GNU/Linux operating system. These vulnerabilities can be exploited by a local attacker to compromise the confidentiality, integrity, and availability of protected information. The cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers. **Recommendations** For CUPS versions 1.2.2, 1.3.7, 1.3.9, and 1.4.1: consider disabling the cupsGetlang function until a patch is available. For libcups2, libcups2-dev, libcupsimage2, libcupsimage2-dev, libcupsys2, libcupsys2-dev, cups-common, cups-client, cups-bsd, cups-dbg, cupsys, cupsys-client, cupsys-common, cupsys-bsd, and cupsys-dbg: At the moment, there is no information about a newer version that contains a fix for this vulnerability.