Skip to content

Commit

Permalink
libcupsfilters, libppd, cups-filters 2.1.0 releases
Browse files Browse the repository at this point in the history 
Quick 2.1.0 releases containing fixes for the recently reported CVEs.
  • Loading branch information
@tillkamppeter
tillkamppeter committed Oct 19, 2024
1 parent 63924e5 commit 61bf1be
Showing 1 changed file with 54 additions and 0 deletions.
54 changes: 54 additions & 0 deletions ...psfilters, libppd, cups-filters - 2.1.0 Releases including vulnerability fix.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
title: libcupsfilters, libppd, cups-filters - 2.1.0 Releases including vulnerability fixes
layout: single
author: Till
excerpt: All available fixes of recent RCE execution vulnerability and DoD vulnerability CVEs included, and also support for libcups3.
---
These releases, skipping the beta phases, are quick releases after having fixed most of the security bugs making up a Remote Code Execution (RCE) vulnerability reported some weeks ago and a DoS vulnerability reported somewhat later. I had posted [in detail here](/OpenPrinting-News-Flash-cups-browsed-Remote-Code-Execution-vulnerability/).

The fixes provided by these releases are sufficient to prevent the described exploits, but there is still the bug of arbitrary command lines being allowed to be used by foomatic-rip, [CVE-2024-47177](https://www.cve.org/CVERecord?id=CVE-2024-47177), which will get fixed in both the 1.x and 2.x branches of cups-filters in the next days. cups-filters 1.29.0 and 2.1.0 will get released once this fix is in place.

### Contained security fixes

**libcupsfilters**
- [CVE-2024-47076](https://www.cve.org/CVERecord?id=CVE-2024-47076): `cfGetPrinterAttributes5()` does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system ([GHSA](https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5))

[Fix](https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3)

**libppd**
- [CVE-2024-47175](https://www.cve.org/CVERecord?id=CVE-2024-47175): `ppdCreatePPDFromIPP2()` does not validate or sanitize the IPP attributes when writing them to the PPD file, allowing the injection of attacker-controlled data into the resulting PPD ([GHSA](https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6))

[Fix](https://github.com/OpenPrinting/libppd/commit/d681747ebf)

**cups-browsed**
- [CVE-2024-47176](https://www.cve.org/CVERecord?id=CVE-2024-47176): cups-browsed binds on `UDP INADDR_ANY:631` trusting any packet from any source to trigger a `get-printer-attributes` IPP request to an attacker-controlled URL ([GHSA](https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8))
- [CVE-2024-47850](https://www.cve.org/CVERecord?id=CVE-2024-47850): cups-browsed (before 2.5b1?) will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added. The request is meant to probe the new printer but can be used to create DDoS amplification attacks (on non-printer devices). This is a different vulnerability than CVE-2024-47176 but the remedy is the same, turning off or removing legacy CUPS browsing support in cups-browsed ([GHSA](https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq86-c7g6-r2h8))

[Preliminary fix turning off CUPS browsing in configuration file](https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c), [Final fix removing CUPS browsing and LDAP support](https://github.com/OpenPrinting/cups-browsed/commit/1d1072a0de5)

### New features since 2.0.0

**libcupsfilters**
- Support for building with [libcups3](https://github.com/openprinting/libcups), CUPS library of CUPS 3.x.
- Support for building with libcups of CUPS 2.5.x (Issue [#36](https://github.com/OpenPrinting/libcupsfilters/pull/36))
- CI/build/unit testing of filter functions using a table of test cases, each with input file, input and output formats, option settings, allows especially to create regression test cases based on reported bugs
- Convert `INSTALL` to `INSTALL.md`
(Pull request [#45](https://github.com/OpenPrinting/libcupsfilters/pull/45))
- Add GitHub workflow for Canonical Open Documentation Academy
OpenPrinting is participating in Canonical's [Open Documentation Academy](https://github.com/canonical/open-documentation-academy/), as an organization in need of documentation. The workflow is still experimental and serves for auto-forwarding documentation-related issues.

**libppd**
- Support for building with [libcups3](https://github.com/openprinting/libcups), CUPS library of CUPS 3.x
(Pull request [#27](https://github.com/OpenPrinting/libppd/pull/27))
- Convert `INSTALL` to `INSTALL.md`
(Pull request [#34](https://github.com/OpenPrinting/libppd/pull/34))

**cups-browsed**
- Removed support for legacy CUPS browsing and for LDAP
Legacy CUPS browsing is not needed any more and, our implementation accepting any UDP packet on port 631, causes vulnerabilities, and our LDAP support does not comply with RFC 7612 and is therefore limited. Fixes CVE-2024-47176 and CVE-2024-47850 as mentioned [above](#contained-security-fixes)

### Packages

- **libcupsfilters: [More Details and Download](https://github.com/OpenPrinting/libcupsfilters/releases/tag/2.1.0), [Discussion](https://github.com/OpenPrinting/libcupsfilters/discussions/64)**
- **libppd: [More Details and Download](https://github.com/OpenPrinting/libppd/releases/tag/2.1.0), [Discussion](https://github.com/OpenPrinting/libppd/discussions/50)**
- **cups-browsed: [More Details and Download](https://github.com/OpenPrinting/cups-browsed/releases/tag/2.1.0), [Discussion](https://github.com/OpenPrinting/cups-browsed/discussions/46)**

0 comments on commit 61bf1be

Please sign in to comment.