[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1082822: cups-filters: CVE-2024-47177

Hi,

On Fri, Sep 27, 2024 at 07:37:03AM +0200, Salvatore Bonaccorso wrote:
> Source: cups-filters
> Version: 1.28.17-3
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for cups-filters.
> 
> CVE-2024-47177[0]:
> | CUPS is a standards-based, open-source printing system, and cups-
> | filters provides backends, filters, and other software for CUPS 2.x
> | to use on non-Mac OS systems. Any value passed to
> | `FoomaticRIPCommandLine` via a PPD file will be executed as a user
> | controlled command. When combined with other logic bugs as described
> | in CVE_2024-47176, this can lead to remote command execution.
> 
> No fix from upstream yet on this one.

This one will actually likely not be addressed is my understanding,
and I am lowering the severity.

Basically one can argue, that once CVE-2024-47076, CVE-2024-47175 and
CVE-2024-47176 are fixed, the impact of this CVE is mitigated as well.

I will add this clarifying note as well to the tracker.

Regards,
Salvatore
Reply to: