Hi, On Fri, Sep 27, 2024 at 07:37:03AM +0200, Salvatore Bonaccorso wrote: > Source: cups-filters > Version: 1.28.17-3 > Severity: grave > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for cups-filters. > > CVE-2024-47177[0]: > | CUPS is a standards-based, open-source printing system, and cups- > | filters provides backends, filters, and other software for CUPS 2.x > | to use on non-Mac OS systems. Any value passed to > | `FoomaticRIPCommandLine` via a PPD file will be executed as a user > | controlled command. When combined with other logic bugs as described > | in CVE_2024-47176, this can lead to remote command execution. > > No fix from upstream yet on this one.
This one will actually likely not be addressed is my understanding, and I am lowering the severity. Basically one can argue, that once CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176 are fixed, the impact of this CVE is mitigated as well. I will add this clarifying note as well to the tracker. Regards, Salvatore
