[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1082827: marked as done (cups-filters: CVE-2024-47076)

Your message dated Fri, 27 Sep 2024 17:19:00 +0000
with message-id <E1suEcO-00FQFV-OL@fasolo.debian.org>
and subject line Bug#1082827: fixed in cups-filters 1.28.17-5
has caused the Debian Bug report #1082827,
regarding cups-filters: CVE-2024-47076
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1082827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082827
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: libcupsfilters
Version: 2.0.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for libcupsfilters.

CVE-2024-47076[0]:
| CUPS is a standards-based, open-source printing system, and
| `libcupsfilters` contains the code of the filters of the former
| `cups-filters` package as library functions to be used for the data
| format conversion tasks needed in Printer Applications. The
| `cfGetPrinterAttributes5` function in `libcupsfilters` does not
| sanitize IPP attributes returned from an IPP server. When these IPP
| attributes are used, for instance, to generate a PPD file, this can
| lead to attacker controlled data to be provided to the rest of the
| CUPS system.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-47076
    https://www.cve.org/CVERecord?id=CVE-2024-47076
[1] https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
[2] https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
[3] https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: cups-filters
Source-Version: 1.28.17-5
Done: Thorsten Alteholz <debian@alteholz.de>

We believe that the bug you reported is fixed in the latest version of
cups-filters, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1082827@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated cups-filters package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 26 Sep 2024 23:45:05 +0200
Source: cups-filters
Architecture: source
Version: 1.28.17-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Closes: 1082820 1082827
Changes:
 cups-filters (1.28.17-5) unstable; urgency=medium
 .
   * CVE-2024-47076 (Closes: #1082827)
     cfGetPrinterAttributes5(): Validate response attributes before return
   * CVE-2024-47176 (Closes: #1082820)
     Default BrowseRemoteProtocols should not include "cups" protocol
Checksums-Sha1:
 7de99a3d0be8ff22226c2caa7367f979443d2f40 3028 cups-filters_1.28.17-5.dsc
 9a634c2b4ffdee0592a036d6a177620b9296f368 87272 cups-filters_1.28.17-5.debian.tar.xz
 98f75ea17906994ef3965048a21a213ed41892cb 14940 cups-filters_1.28.17-5_amd64.buildinfo
Checksums-Sha256:
 793f03ff6966dcbff5a5ac168caef371d0bd256c247f0de12b8499f9efefaa00 3028 cups-filters_1.28.17-5.dsc
 017e50735002802f0ab45185610371a1b55d08b20e8af6936216d0350b97c82e 87272 cups-filters_1.28.17-5.debian.tar.xz
 07c23eda9af0528efbe9b825fb63b19ec8a1381be8f319162c9e8f4f816800bf 14940 cups-filters_1.28.17-5_amd64.buildinfo
Files:
 bdb1f8a14c9099fbf755b00eb6e483c0 3028 net optional cups-filters_1.28.17-5.dsc
 4f4b6560c752e34a386bf0c79312032c 87272 net optional cups-filters_1.28.17-5.debian.tar.xz
 dcfec29c9b2a05d21d5203385cdea883 14940 net optional cups-filters_1.28.17-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmb25c1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR6ZAD/9EhhVqvD3NXxThg+lKYYTRTfyA5/Oo
fwp+jw/o58XeWSYuIdGQOc20/jNSK9alUp5p17RjWVOCymQ0v7O2PxS+162dz2cI
SCTH0rCeMtHEwB1ZGsQNWiaKq98FT6RtK5egPL4gP0ZmEOe4RQJM75z134jp90u2
kqQF0PwV/bDDOZYjEOUPowTeMnzZQvbPY81r/UIamlEqTMYTG5y2IeoeXcAKW1J9
7O8zlaEq/WqPSF8tfbIbJgk0+C8oUJpDT54bKCAtWtaFlmGwy2wm2inYl/L5IKEN
u3oa8PP6aihfVq6v3kHzR7J4bDjuF4oEd/ZS4ip3horw/uuHo9kkCDpeBYr5SaHg
be7lqEfoVWv6G4NhoEUS4DiUEcwbcExw/XkUGB5HCaPcppEAhl7ugauN+ZZFWIpy
hXmk5MXKR8mVXLKpCqfLME/8uSIvLkJQg/3R3r9rjzCY+9dMToMwlfhHVUERzYtI
mJ5hXMas2S8UJYYMs4H8uPUeCDcKK2nHUItJuQwbiwu14ipeVMzPr01juuuF8703
HFpRBYp8RiNZdOVPHdnPzcs1sjlre6aNUa1AFpnBd26nxxA2aFvwAcLtGyVODvZF
ql1cAsgoajtUseJvOP40QQi4gUBnQ+nAKhj+pSA2CXPEYJGxL0hm8Xwj4c2ohrFf
mcUhnobWDJjSHA==
=yFIK
-----END PGP SIGNATURE-----

Attachment: pgps2XIe3h_YD.pgp
Description: PGP signature


--- End Message ---
Reply to: