We've determined through source code analysis that the older versions of CUPS as
shipped in Red Hat Enterprise Linux 3 and 4 do not contain the code that can
cause this double-free to occur. We also tested this using a reproducer.
Red Hat Enterprise Linux 5 does have the double-free and we can cause CUPS to
remotely crash using an internal reproducer. However the glibc pointer checking
as part of Enterprise Linux 5 limits the exploitability of this issue to just a
crash of CUPS and not the ability to execute arbitrary code.
We've determined through source code analysis that the older versions of CUPS as
shipped in Red Hat Enterprise Linux 3 and 4 do not contain the code that can
cause this double-free to occur. We also tested this using a reproducer.
Red Hat Enterprise Linux 5 does have the double-free and we can cause CUPS to
remotely crash using an internal reproducer. However the glibc pointer checking
as part of Enterprise Linux 5 limits the exploitability of this issue to just a
crash of CUPS and not the ability to execute arbitrary code.