CVE-2015-1158

Name of the Vulnerable Software and Affected Versions CUPS versions prior to 2.0.3

Description The issue is related to the add job function in the scheduler/ipp.c file of the CUPS server, which performs incorrect free operations for multiple-value job-originating-host-name attributes. This allows remote attackers to trigger data corruption for reference-counted strings via crafted IPP requests, such as IPP CREATE JOB or IPP PRINT JOB requests. The exploitation of this issue can lead to the modification of the device's configuration file or the execution of arbitrary code.

Recommendations For versions prior to 2.0.3, update to version 2.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the add job function in the scheduler/ipp.c file until a patch is available. Avoid using the IPP CREATE JOB and IPP PRINT JOB requests in the affected API endpoints until the issue is resolved.