Referenced CVEs:
CVE-2009-3553, CVE-2010-0302, CVE-2010-0393
Description:
===========================================================Ubuntu Security Notice USN-906-1 March 03, 2010cups, cupsys vulnerabilitiesCVE-2009-3553, CVE-2010-0302, CVE-2010-0393===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 8.04 LTSUbuntu 8.10Ubuntu 9.04Ubuntu 9.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: cupsys 1.2.2-0ubuntu0.6.06.17 cupsys-client 1.2.2-0ubuntu0.6.06.17Ubuntu 8.04 LTS: cupsys 1.3.7-1ubuntu3.8 cupsys-client 1.3.7-1ubuntu3.8Ubuntu 8.10: cups 1.3.9-2ubuntu9.5 cups-client 1.3.9-2ubuntu9.5Ubuntu 9.04: cups 1.3.9-17ubuntu3.6 cups-client 1.3.9-17ubuntu3.6Ubuntu 9.10: cups 1.4.1-5ubuntu2.4 cups-client 1.4.1-5ubuntu2.4In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:It was discovered that the CUPS scheduler did not properly handle certainnetwork operations. A remote attacker could exploit this flaw and cause theCUPS server to crash, resulting in a denial of service. This issue onlyaffected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10. (CVE-2009-3553,CVE-2010-0302)Ronald Volgers discovered that the CUPS lppasswd tool could be made to loadlocalized message strings from arbitrary files by setting an environmentvariable. A local attacker could exploit this with a format-stringvulnerability leading to a root privilege escalation. The default compileroptions for Ubuntu 8.10, 9.04 and 9.10 should reduce this vulnerability toa denial of service. (CVE-2010-0393)
More...