Source: cups-filters Version: 1.28.17-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for cups-filters. CVE-2024-47176[0]: | CUPS is a standards-based, open-source printing system, and `cups- | browsed` contains network printing functionality including, but not | limited to, auto-discovering print services and shared printers. | `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any | packet from any source, and can cause the `Get-Printer-Attributes` | IPP request to an attacker controlled URL. Due to the service | binding to `*:631 ( INADDR_ANY )`, multiple bugs in `cups-browsed` | can be exploited in sequence to introduce a malicious printer to the | system. This chain of exploits ultimately enables an attacker to | execute arbitrary commands remotely on the target machine without | authentication when a print job is started. This poses a significant | security risk over the network. Notably, this vulnerability is | particularly concerning as it can be exploited from the public | internet, potentially exposing a vast number of systems to remote | attacks if their CUPS services are enabled. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-47176 https://www.cve.org/CVERecord?id=CVE-2024-47176 [1] https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 [2] https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c37e0aa928559add4abcc95ce54aa2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
