File _patchinfo of Package patchinfo.6968

<patchinfo incident="6968">
  <issue id="1061066" tracker="bnc">DBUS library aborts caller process in _dbus_check_is_valid_utf8</issue>
  <issue id="1087018" tracker="bnc">VUL-0: CVE-2017-18248: cups: The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification.</issue>
  <issue id="1096405" tracker="bnc"></issue>
  <issue id="1096406" tracker="bnc"></issue>
  <issue id="1096407" tracker="bnc"></issue>
  <issue id="1096408" tracker="bnc"></issue>
  <issue id="1050082" tracker="bnc"></issue>
  <issue id="2017-18248" tracker="cve"></issue>
  <issue id="2018-4180" tracker="cve"></issue>
  <issue id="2018-4181" tracker="cve"></issue>
  <issue id="2018-4182" tracker="cve"></issue>
  <issue id="2018-4183" tracker="cve"></issue>
  <category>security</category>
  <rating>moderate</rating>
  <packager>jsmeix</packager>
  <description>This update for cups fixes the following issues:

The following security vulnerabilities were fixed:

- CVE-2017-18248: Handle invalid characters properly in printing jobs. This fixes a problem that
  was causing the DBUS library to abort the calling process. (bsc#1061066 bsc#1087018)
- Fixed a local privilege escalation to root and sandbox bypasses in the
  scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend
  (bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
  directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
  (bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
  (bsc#1096408)

The following other issue was fixed:

- Fixed authorization check for clients (like samba) connected through the
  local socket when Kerberos authentication is enabled (bsc#1050082)
</description>
<summary>Security update for cups</summary>
</patchinfo>