CUPS printer service update closes security holes
Three security holes in CUPS, the printer service for Unix systems such as Linux and Mac OS X, have been closed in version 1.3.9. According to the release notes, previous versions of CUPS are vulnerable to remote code exploitation when the service is given SGI format image files for manipulation or when printing text files. The issues relate directly to the imagetops and texttops filters.
On Mac OS X only, previous versions of the hgltops filter are vulnerable to a remote code exploit which can be found when printing documents to a virtual HPGL Plotter. The issues would allow an attacker to run malicious programs, but only with the privileges of the printer process, though this could be a route for other attacks. The issues were all reported in late August and early September.
The 1.3.9 update also contains a large number of fixes for non security issues which are listed in the CUPS 1.3.9 Changelog.