diff -up cups-1.6.3/scheduler/client.c.CVE-2014-3537 cups-1.6.3/scheduler/client.c

--- cups-1.6.3/scheduler/client.c.CVE-2014-3537	2014-09-02 11:30:50.021384781 +0100

+++ cups-1.6.3/scheduler/client.c	2014-09-02 11:31:00.606440125 +0100

@@ -3197,7 +3197,7 @@ get_file(cupsd_client_t *con,		/* I  - C

     if ((ptr = strchr(filename, '?')) != NULL)

       *ptr = '\0';

-    if ((status = stat(filename, filestats)) != 0)

+    if ((status = lstat(filename, filestats)) != 0)

     {

      /*

       * Drop the language prefix and try the root directory...

@@ -3209,12 +3209,33 @@ get_file(cupsd_client_t *con,		/* I  - C

       if ((ptr = strchr(filename, '?')) != NULL)

 	*ptr = '\0';

-      status = stat(filename, filestats);

+      status = lstat(filename, filestats);

     }

   }

+  /*

+   * If we've found a symlink, 404 the sucker to avoid disclosing information.

+   */

+ 

+  if (!status && S_ISLNK(filestats->st_mode))

+  {

+    cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);

+    return (NULL);

+  }

+

+ /*

+  * Similarly, if the file/directory does not have world read permissions, do

+  * not allow access...

+  */

+

+  if (!status && !(filestats->st_mode & S_IROTH))

+  {

+    cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);

+    return (NULL);

+  }

+

  /*

-  * If we're found a directory, get the index.html file instead...

+  * If we've found a directory, get the index.html file instead...

   */

   if (!status && S_ISDIR(filestats->st_mode))