A vulnerability was reported in the setuid "lppasswd" binary from cups, which could allow an attacker to extract data from arbitrary files. The issue is that to find out the name of the current user, systemv/lppasswd.c calls cupsUser() in the cups/usersys.c, which calls a function calls_cupsSetDefaults(), which is not designed to be used in setuid code. Later, when lppasswd has found out that the user does not have an entry in the password file, it shows an error message that leaks the username from the config. This means that an unprivileged user can use the lppasswd binary to extract data from arbitrary files as long as it appears to be a "user" configuration directive. References: http://www.cups.org/str.php?L4319 Patch: http://www.cups.org/strfiles.php/3230/str4319.patch
The lppasswd binary has not had the suid bit set on it since Red Hat Enterprise Linux 4, so this flaw is not exploitable on any recent Fedora or Red Hat Enterprise Linux releases. Statement: Not vulnerable. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 5 and 6 as they did not ship with an suid-root lppasswd binary.