CVE-2014-5031 – cups: world-readable permissions
https://notcve.org/view.php?id=CVE-2014-5031
The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors. La interfaz web en CUPS anterior a 2.0 no comprueba que los ficheros tienen permisos de lectura universal, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. • http://advisories.mageia.org/MGASA-2014-0313.html http://rhn.redhat.com/errata/RHSA-2014-1388.html http://secunia.com/advisories/60509 http://secunia.com/advisories/60787 http://www.debian.org/security/2014/dsa-2990 http://www.mandriva.com/security/advisories?name=MDVSA-2015:108 http://www.openwall.com/lists/oss-security/2014/07/22/13 http://www.openwall.com/lists/oss-security/2014/07/22/2 http://www.ubuntu.com/usn/USN-2341-1 https://cups.org/str.php • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-5029 – cups: Incomplete fix for CVE-2014-3537
https://notcve.org/view.php?id=CVE-2014-5029
The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537. La interfaz web en CUPS 1.7.4 permite a usuarios locales en el grupo lp leer ficheros arbitrarios a través de un ataque de enlace simbólico sobre un fichero en /var/cache/cups/rss/ y language[0] configurado a nulo. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2014-3537. It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. • http://advisories.mageia.org/MGASA-2014-0313.html http://rhn.redhat.com/errata/RHSA-2014-1388.html http://secunia.com/advisories/60509 http://secunia.com/advisories/60787 http://www.debian.org/security/2014/dsa-2990 http://www.mandriva.com/security/advisories?name=MDVSA-2015:108 http://www.openwall.com/lists/oss-security/2014/07/22/13 http://www.openwall.com/lists/oss-security/2014/07/22/2 http://www.ubuntu.com/usn/USN-2341-1 https://cups.org/str.php • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2014-3537 – cups: insufficient checking leads to privilege escalation
https://notcve.org/view.php?id=CVE-2014-3537
The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/. La interfaz web en CUPS anterior a 1.7.4 permite a usuarios locales en el grupo lp leer ficheros arbitrarios a través de un ataque de enlace simbólico sobre un fichero en /var/cache/cups/rss/. It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. • http://advisories.mageia.org/MGASA-2014-0313.html http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html http://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html http://rhn.redhat.com/errata/RHSA-2014-1388.html http://secunia.com/advisories/59945 http://secunia.com/advisories/60273 http://secunia.com/advisories/60787 http://www.cups.org/blog.php?L724 http://www.cups.org/str.php?L4450 http://www.mandriva.com/security/advisories?name=MDVSA-2015 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2014-4699 – Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2014-4699
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. El kernel de Linux anterior a 3.15.4 en los procesadores Intel no restringe debidamente el uso de un valor no canónico para la dirección RIP guardada en el caso de una llamada del sistema que no utilice IRET, lo que permite a usuarios locales aprovechar una condición de carrera y ganar privilegios, o causar una denegación de servicio (fallo doble), a través de una aplicación manipulada que realice llamadas de sistemas ptrace y fork. It was found that the Linux kernel's ptrace subsystem allowed a traced process' instruction pointer to be set to a non-canonical memory address without forcing the non-sysret code path when returning to user space. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. Note: The CVE-2014-4699 issue only affected systems using an Intel CPU. • https://www.exploit-db.com/exploits/34134 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a http://linux.oracle.com/errata/ELSA-2014-0924.html http://linux.oracle.com/errata/ELSA-2014-3047.html http://linux.oracle.com/errata/ELSA-2014-3048.html http://openwall.com/lists/oss-security/2014/07/05/4 http://openwall.com/lists/oss-security/2014/07/08/16 http://openwall.com/lists/oss-security/2014/07/08 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-642: External Control of Critical State Data •
CVE-2014-4608 – kernel: lzo1x_decompress_safe() integer overflow
https://notcve.org/view.php?id=CVE-2014-4608
Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype. ** DISPUTADA ** Múltiples desbordamientos de enteros en la función lzo1x_decompress_safe en lib/lzo/lzo1x_decompress_safe.c en el descompresor LZO en el kernel de Linux anterior a 3.15.2 permiten a atacantes dependientes de contexto causar una denegación de servicio (corrupción de memoria) a través de un 'Literal Run' manipulado. NOTA: el autor de los algoritmos LZO algorithms dice que 'el kernel de Linux *no* está afectado; sensacionalismo periodístico.' An integer overflow flaw was found in the way the lzo1x_decompress_safe() function of the Linux kernel's LZO implementation processed Literal Runs. A local attacker could, in extremely rare cases, use this flaw to crash the system or, potentially, escalate their privileges on the system. • http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=206a81c18401c0cde6e579164f752c4b147324ce http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://rhn.redhat.com/errata/RHSA-2015-0062.html http://secunia.com/advisori • CWE-190: Integer Overflow or Wraparound •