Bug#1083067: marked as done (cups: CVE-2024-47176 reports severe vulnerability in CUPS)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 1 Oct 2024 17:41:43 +0000 (UTC)
with message-id <alpine.DEB.2.21.2410011739580.17571@postfach.intern.alteholz.me>
and subject line Re: cups: CVE-2024-47176 reports severe vulnerability in CUPS
has caused the Debian Bug report #1083067,
regarding cups: CVE-2024-47176 reports severe vulnerability in CUPS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1083067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083067
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Cc: "rjmx@rjmx.net" <rjmx@rjmx.net>
• Subject: cups: CVE-2024-47176 reports severe vulnerability in CUPS
• From: "Murray, Ronald-1 (A&F)" <murrayr@dor.state.ma.us>
• Date: Mon, 30 Sep 2024 21:25:47 +0000
• Message-id: <BLAPR09MB73952C987F364817FE6A5F30A2762@BLAPR09MB7395.namprd09.prod.outlook.com>

Package: cups

Version: 2.4.10-1

Severity: grave

Tags: security

Justification: user security hole

X-Debbugs-Cc: Debian Security Team team@security.debian.org

 

From https://nvd.nist.gov/vuln/detail/CVE-2024-47176:

 

CUPS is a standards-based, open-source printing system, and

`cups-browsed` contains network printing functionality including, but

not limited to, auto-discovering print services and shared

printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to

trust any packet from any source, and can cause the

`Get-Printer-Attributes` IPP request to an attacker controlled

URL. Due to the service binding to `*:631 ( INADDR_ANY )`, multiple

bugs in `cups-browsed` can be exploited in sequence to introduce a

malicious printer to the system. This chain of exploits ultimately

enables an attacker to execute arbitrary commands remotely on the

target machine without authentication when a print job is

started. This poses a significant security risk over the

network. Notably, this vulnerability is particularly concerning as it

can be exploited from the public internet, potentially exposing a vast

number of systems to remote attacks if their CUPS services are

enabled.

 

-- System Information:

Debian Release: trixie/sid

  APT prefers testing

  APT policy: (500, 'testing')

Architecture: amd64 (x86_64)

 

Kernel: Linux 6.10.11-amd64 (SMP w/4 CPU threads; PREEMPT)

Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set

Shell: /bin/sh linked to /usr/bin/dash

Init: systemd (via /run/systemd/system)

LSM: AppArmor: enabled

 

Versions of packages cups depends on:

ii  cups-client            2.4.10-1

ii  cups-common            2.4.10-1

ii  cups-core-drivers      2.4.10-1

ii  cups-daemon            2.4.10-1

ii  cups-filters           1.28.17-4.1+b1

ii  cups-ppdc              2.4.10-1

ii  cups-server-common     2.4.10-1

ii  debconf [debconf-2.0]  1.5.87

ii  ghostscript            10.04.0~dfsg-1

ii  libavahi-client3       0.8-13+b2

ii  libavahi-common3       0.8-13+b2

ii  libc6                  2.40-2

ii  libcups2t64            2.4.10-1

ii  libgcc-s1              14.2.0-3

ii  libstdc++6             14.2.0-3

ii  libusb-1.0-0           2:1.0.27-1

ii  poppler-utils          24.08.0-2

ii  procps                 2:4.0.4-5

 

Versions of packages cups recommends:

ii  avahi-daemon  0.8-13+b2

ii  colord        1.4.7-1+b1

 

Versions of packages cups suggests:

ii  cups-bsd                            2.4.10-1

ii  foomatic-db                         20230202-1

ii  printer-driver-cups-pdf [cups-pdf]  3.0.1-18

ii  smbclient                           2:4.21.0+dfsg-1

ii  udev                                256.6-1

 

-- debconf information:

  cupsys/backend: lpd, socket, usb, snmp, dnssd

  cupsys/raw-print: true

 

--

Ron Murray

Systems Administrator,

Enterprise Messaging/Security,

Massachusetts Department of Revenue

(617) 655-3296

PGP Fingerprint:  5A26 A211 68D9 E5AA 176A 1AA3 7A89 5E0B 040A 7431

 

---

This email and any attachments may contain information that has been classified as Confidential or Restricted if indicated as such. It is intended exclusively for the use of the individual(s) to whom it is addressed. If inappropriately disclosed, this information could seriously damage the mission, safety or integrity of an agency, its staff, or its constituents. This information may be protected by federal and state laws or regulations. Retransmission or forwarding of this email must only be done after receiving explicit written approval from the original sender of the email. The data must only be stored in encrypted format.

If you are not the intended recipient, you may not use, copy, distribute, or forward this message or contents to anyone. If you have received this email in error, please notify the sender immediately and delete the email from your email system.

--- End Message ---

--- Begin Message ---

• To: 1083067-done@bugs.debian.org
• Cc: "Murray, Ronald-1 (A&F)" <murrayr@dor.state.ma.us>, "rjmx@rjmx.net" <rjmx@rjmx.net>
• Subject: Re: cups: CVE-2024-47176 reports severe vulnerability in CUPS
• From: Thorsten Alteholz <debian@alteholz.de>
• Date: Tue, 1 Oct 2024 17:41:43 +0000 (UTC)
• Message-id: <alpine.DEB.2.21.2410011739580.17571@postfach.intern.alteholz.me>

Hi,

I am sorry, but I am not sure what makes you think that the Debian package cups is affected by CVE-2024-47176.
At least your provided link does not show anything at all in this regard.
So I am closing this bug again.


  Thorsten

--- End Message ---