CVE-2015-1158
cups - security update
EPSS 82.3%
Description
The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.
How to fix CVE-2015-1158
To remediate CVE-2015-1158, upgrade the affected package to a fixed version below.
- Debian/cups—upgrade to 1.7.5-12 or later
- —upgrade to 1.4.4-7+squeeze8 or later
- —upgrade to 1.5.3-5+deb7u6 or later
Is CVE-2015-1158 being exploited?
Likely — EPSS is 82.3%, placing CVE-2015-1158 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (3)
- from 0, < 1.7.5-12
- from 0, < 1.4.4-7+squeeze8
- from 0, < 1.5.3-5+deb7u6