diff -up cups-1.6.3/scheduler/client.c.CVE-2014-3537 cups-1.6.3/scheduler/client.c
--- cups-1.6.3/scheduler/client.c.CVE-2014-3537	2014-09-02 11:30:50.021384781 +0100
+++ cups-1.6.3/scheduler/client.c	2014-09-02 11:31:00.606440125 +0100
@@ -3197,7 +3197,7 @@ get_file(cupsd_client_t *con,		/* I  - C
     if ((ptr = strchr(filename, '?')) != NULL)
       *ptr = '\0';
 
-    if ((status = stat(filename, filestats)) != 0)
+    if ((status = lstat(filename, filestats)) != 0)
     {
      /*
       * Drop the language prefix and try the root directory...
@@ -3209,12 +3209,33 @@ get_file(cupsd_client_t *con,		/* I  - C
       if ((ptr = strchr(filename, '?')) != NULL)
 	*ptr = '\0';
 
-      status = stat(filename, filestats);
+      status = lstat(filename, filestats);
     }
   }
 
+  /*
+   * If we've found a symlink, 404 the sucker to avoid disclosing information.
+   */
+ 
+  if (!status && S_ISLNK(filestats->st_mode))
+  {
+    cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
+    return (NULL);
+  }
+
+ /*
+  * Similarly, if the file/directory does not have world read permissions, do
+  * not allow access...
+  */
+
+  if (!status && !(filestats->st_mode & S_IROTH))
+  {
+    cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
+    return (NULL);
+  }
+
  /*
-  * If we're found a directory, get the index.html file instead...
+  * If we've found a directory, get the index.html file instead...
   */
 
   if (!status && S_ISDIR(filestats->st_mode))