Errata overview
Errata ID 321
Date 2015-09-23
Source package cups
Fixed in version 1.5.3-5.96.201509111033
Multiple security vulnerabilities have been fixed in cups:
* Integer underflow in the cupsRasterReadPixels function in
  filter/raster.c in CUPS before 2.0.2 allows remote attackers to
  have unspecified impact via a malformed compressed raster file,
  which triggers a buffer overflow (CVE-2014-9679).
* The add_job function in scheduler/ipp.c in cupsd in CUPS before
  2.0.3 performs incorrect free operations for multiple-value
  job-originating-host-name attributes, which allows remote
  attackers to trigger data corruption for reference-counted strings
  via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as
  demonstrated by replacing the configuration file and consequently
  executing arbitrary code (CVE-2015-1158).
* Cross-site scripting (XSS) vulnerability in the cgi_puts function
  in cgi-bin/template.c in the template engine in CUPS before 2.0.3
  allows remote attackers to inject arbitrary web script or HTML via
  the QUERY parameter to help/ (CVE-2015-1159).
Additional notes
CVE ID CVE-2014-9679
UCS Bug number #37815