libcupsfilters, libppd, cups-browsed - 2.1.0 Releases including vulnerability fixes

2 minute read

These releases, skipping the beta phases, are quick releases after having fixed most of the security bugs making up a Remote Code Execution (RCE) vulnerability reported some weeks ago and a DoS vulnerability reported somewhat later. I had posted in detail here.

The fixes provided by these releases are sufficient to prevent the described exploits, but there is still the bug of arbitrary command lines being allowed to be used by foomatic-rip, CVE-2024-47177, which will get fixed in both the 1.x and 2.x branches of cups-filters in the next days. cups-filters 1.29.0 and 2.1.0 will get released once this fix is in place.

Contained security fixes

libcupsfilters

  • CVE-2024-47076: cfGetPrinterAttributes5() does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system (GHSA)

Fix

libppd

  • CVE-2024-47175: ppdCreatePPDFromIPP2() does not validate or sanitize the IPP attributes when writing them to the PPD file, allowing the injection of attacker-controlled data into the resulting PPD (GHSA)

Fix

cups-browsed

  • CVE-2024-47176: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a get-printer-attributes IPP request to an attacker-controlled URL (GHSA)
  • CVE-2024-47850: cups-browsed (before 2.5b1?) will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added. The request is meant to probe the new printer but can be used to create DDoS amplification attacks (on non-printer devices). This is a different vulnerability than CVE-2024-47176 but the remedy is the same, turning off or removing legacy CUPS browsing support in cups-browsed (GHSA)

Preliminary fix turning off CUPS browsing in configuration file
Final fix removing CUPS browsing and LDAP support

New features since 2.0.0

libcupsfilters

  • Support for building with libcups3, CUPS library of CUPS 3.x.
  • Support for building with libcups of CUPS 2.5.x (Issue #36)
  • CI/build/unit testing of filter functions using a table of test cases, each with input file, input and output formats, option settings, allows especially to create regression test cases based on reported bugs
  • Convert INSTALL to INSTALL.md (Pull request #45)
  • Add GitHub workflow for Canonical Open Documentation Academy OpenPrinting is participating in Canonical’s Open Documentation Academy, as an organization in need of documentation. The workflow is still experimental and serves for auto-forwarding documentation-related issues.

libppd

  • Support for building with libcups3, CUPS library of CUPS 3.x (Pull request #27)
  • Convert INSTALL to INSTALL.md (Pull request #34)

cups-browsed

  • Removed support for legacy CUPS browsing and for LDAP Legacy CUPS browsing is not needed any more and, our implementation accepting any UDP packet on port 631, causes vulnerabilities, and our LDAP support does not comply with RFC 7612 and is therefore limited. Fixes CVE-2024-47176 and CVE-2024-47850 as mentioned above

Packages

Updated:

Comments