After looking at this patch in detail, it doesn't actually prevent users in the lpadmin group from modifying cupsd.conf and performing the specified privilege escalation.
An alternate fix for cups-1.5 and earlier that specifically addresses the reported problem by requiring the log files to reside in CUPS_LOGDIR:
alt-CVE-2012-5519.patch
Description: Binary data
On 2012-11-27, at 9:30 AM, Marc Deslauriers <marc.deslauri...@canonical.com> wrote: > FYI, as a security fix for our stable releases in Ubuntu, we plan on > disabling cupsd.conf modification in the web interface entirely. > Attached is the patch we plan on using. > > Marc. > <CVE-2012-5519.patch> ________________________________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair
