The OPVPWrapper::loadDriver function in oprs/OPVPWrapper.cxx in the pdftoopvp filter in CUPS and cups-filters before 1.0.47 allows local users to gain privileges via a Trojan horse driver in the same directory as the PDF file.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ubuntu_linux | Canonical | 10.04 (including) | 10.04 (including) |
| Ubuntu_linux | Canonical | 12.04 (including) | 12.04 (including) |
| Ubuntu_linux | Canonical | 12.10 (including) | 12.10 (including) |
| Ubuntu_linux | Canonical | 13.10 (including) | 13.10 (including) |
| Debian_linux | Debian | * | * |
| Fedora | Fedoraproject | * | * |
| Cups | Ubuntu | lucid | * |
| Cups-filters | Ubuntu | devel | * |
| Cups-filters | Ubuntu | precise | * |
| Cups-filters | Ubuntu | quantal | * |
| Cups-filters | Ubuntu | saucy | * |
| Cups-filters | Ubuntu | upstream | * |
References
- http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7176
- http://www.debian.org/security/2014/dsa-2875
- http://www.debian.org/security/2014/dsa-2876
- http://www.ubuntu.com/usn/USN-2143-1
- http://www.ubuntu.com/usn/USN-2144-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1027551
- http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7176
- http://www.debian.org/security/2014/dsa-2875
- http://www.debian.org/security/2014/dsa-2876
- http://www.ubuntu.com/usn/USN-2143-1
- http://www.ubuntu.com/usn/USN-2144-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1027551