Comment 1 for bug 1088448

TJ (tj) wrote :

Looking at the patches for CVE-2012-5519 committed 3rd December 2012 it seems that the SystemGroup variable was removed from cupsd.conf configuration but existing entries in cupds.conf were not migrated in the post-inst scripts.

cups (1.5.3-0ubuntu5.1) precise-security; urgency=low

  * SECURITY UPDATE: privilege escalation via config file editing
    - debian/patches/CVE-2012-5519.patch: split configuration file into
      two, to isolate options that have a security impact.
    - debian/cups.install: also install cups-files.conf
    - debian/patches/removecvstag.patch: updated to remove tag from
      cups-files.conf.
    - CVE-2012-5519