Description
In CUPS before 1.7.4, a local user with privileges of group=lp can write
symbolic links in the rss directory and use that to gain '@SYSTEM' group
privilege with cupsd (CVE-2014-3537).
It was discovered that the web interface in CUPS incorrectly validated
permissions on rss files and directory index files. A local attacker could
possibly use this issue to bypass file permissions and read arbitrary files,
possibly leading to a privilege escalation (CVE-2014-5029, CVE-2014-5030,
CVE-2014-5031).