Bug#1082822: cups-filters: CVE-2024-47177

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1082822: cups-filters: CVE-2024-47177
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 27 Sep 2024 07:37:03 +0200
Message-id: <[🔎] 172741542366.1430920.14544166057858853331.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1082822@bugs.debian.org

Source: cups-filters
Version: 1.28.17-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for cups-filters.

CVE-2024-47177[0]:
| CUPS is a standards-based, open-source printing system, and cups-
| filters provides backends, filters, and other software for CUPS 2.x
| to use on non-Mac OS systems. Any value passed to
| `FoomaticRIPCommandLine` via a PPD file will be executed as a user
| controlled command. When combined with other logic bugs as described
| in CVE_2024-47176, this can lead to remote command execution.

No fix from upstream yet on this one.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-47177
    https://www.cve.org/CVERecord?id=CVE-2024-47177
[1] https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1082822: cups-filters: CVE-2024-47177
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1082821: libcupsfilters: CVE-2024-47076
Next by Date: Processed: cloning 1082821, reassign -1 to src:cups-filters, retitle -1 to cups-filters: CVE-2024-47076
Previous by thread: Bug#1082827: marked as done (cups-filters: CVE-2024-47076)
Next by thread: Bug#1082822: cups-filters: CVE-2024-47177
Index(es):
- Date
- Thread