CVE-2010-0393

Name of the Vulnerable Software and Affected Versions CUPS versions 1.2.2, 1.3.7, 1.3.9, and 1.4.1 libcups2 (affected versions not specified) libcups2-dev (affected versions not specified) libcupsimage2 (affected versions not specified) libcupsimage2-dev (affected versions not specified) libcupsys2 (affected versions not specified) libcupsys2-dev (affected versions not specified) cups-common (affected versions not specified) cups-client (affected versions not specified) cups-bsd (affected versions not specified) cups-dbg (affected versions not specified) cupsys (affected versions not specified) cupsys-client (affected versions not specified) cupsys-common (affected versions not specified) cupsys-bsd (affected versions not specified) cupsys-dbg (affected versions not specified)

Description The issue is related to multiple vulnerabilities in the CUPS package and its related components in the Debian GNU/Linux operating system. These vulnerabilities can be exploited by a local attacker to compromise the confidentiality, integrity, and availability of protected information. The cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers.

Recommendations For CUPS versions 1.2.2, 1.3.7, 1.3.9, and 1.4.1: consider disabling the cupsGetlang function until a patch is available. For libcups2, libcups2-dev, libcupsimage2, libcupsimage2-dev, libcupsys2, libcupsys2-dev, cups-common, cups-client, cups-bsd, cups-dbg, cupsys, cupsys-client, cupsys-common, cupsys-bsd, and cupsys-dbg: At the moment, there is no information about a newer version that contains a fix for this vulnerability.