Bug#1083067: marked as done (cups: CVE-2024-47176 reports severe vulnerability in CUPS)

To: Thorsten Alteholz <debian@alteholz.de>

Subject: Bug#1083067: marked as done (cups: CVE-2024-47176 reports severe vulnerability in CUPS)

From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Date: Sun, 06 Oct 2024 16:33:07 +0000

Message-id: <[🔎] handler.1083067.D1082820.17282323613280520.ackdone@bugs.debian.org>

References: <E1sxUBS-00CpfD-2q@fasolo.debian.org> <BLAPR09MB73952C987F364817FE6A5F30A2762@BLAPR09MB7395.namprd09.prod.outlook.com>

Your message dated Sun, 06 Oct 2024 16:32:38 +0000 with message-id <E1sxUBS-00CpfD-2q@fasolo.debian.org> and subject line Bug#1082820: fixed in cups-filters 1.28.17-3+deb12u1 has caused the Debian Bug report #1082820, regarding cups: CVE-2024-47176 reports severe vulnerability in CUPS to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1082820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082820 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: "rjmx@rjmx.net" <rjmx@rjmx.net>
Subject: cups: CVE-2024-47176 reports severe vulnerability in CUPS
From: "Murray, Ronald-1 (A&F)" <murrayr@dor.state.ma.us>
Date: Mon, 30 Sep 2024 21:25:47 +0000
Message-id: <BLAPR09MB73952C987F364817FE6A5F30A2762@BLAPR09MB7395.namprd09.prod.outlook.com>

Package: cups

Version: 2.4.10-1

Severity: grave

Tags: security

Justification: user security hole

X-Debbugs-Cc: Debian Security Team team@security.debian.org

From https://nvd.nist.gov/vuln/detail/CVE-2024-47176:

CUPS is a standards-based, open-source printing system, and

`cups-browsed` contains network printing functionality including, but

not limited to, auto-discovering print services and shared

printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to

trust any packet from any source, and can cause the

`Get-Printer-Attributes` IPP request to an attacker controlled

URL. Due to the service binding to `*:631 ( INADDR_ANY )`, multiple

bugs in `cups-browsed` can be exploited in sequence to introduce a

malicious printer to the system. This chain of exploits ultimately

enables an attacker to execute arbitrary commands remotely on the

target machine without authentication when a print job is

started. This poses a significant security risk over the

network. Notably, this vulnerability is particularly concerning as it

can be exploited from the public internet, potentially exposing a vast

number of systems to remote attacks if their CUPS services are

enabled.

-- System Information:

Debian Release: trixie/sid

APT prefers testing

APT policy: (500, 'testing')

Architecture: amd64 (x86_64)

Kernel: Linux 6.10.11-amd64 (SMP w/4 CPU threads; PREEMPT)

Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set

Shell: /bin/sh linked to /usr/bin/dash

Init: systemd (via /run/systemd/system)

LSM: AppArmor: enabled

Versions of packages cups depends on:

ii cups-client 2.4.10-1

ii cups-common 2.4.10-1

ii cups-core-drivers 2.4.10-1

ii cups-daemon 2.4.10-1

ii cups-filters 1.28.17-4.1+b1

ii cups-ppdc 2.4.10-1

ii cups-server-common 2.4.10-1

ii debconf [debconf-2.0] 1.5.87

ii ghostscript 10.04.0~dfsg-1

ii libavahi-client3 0.8-13+b2

ii libavahi-common3 0.8-13+b2

ii libc6 2.40-2

ii libcups2t64 2.4.10-1

ii libgcc-s1 14.2.0-3

ii libstdc++6 14.2.0-3

ii libusb-1.0-0 2:1.0.27-1

ii poppler-utils 24.08.0-2

ii procps 2:4.0.4-5

Versions of packages cups recommends:

ii avahi-daemon 0.8-13+b2

ii colord 1.4.7-1+b1

Versions of packages cups suggests:

ii cups-bsd 2.4.10-1

ii foomatic-db 20230202-1

ii printer-driver-cups-pdf [cups-pdf] 3.0.1-18

ii smbclient 2:4.21.0+dfsg-1

ii udev 256.6-1

-- debconf information:

cupsys/backend: lpd, socket, usb, snmp, dnssd

cupsys/raw-print: true

Ron Murray

Systems Administrator,

Enterprise Messaging/Security,

Massachusetts Department of Revenue

(617) 655-3296

PGP Fingerprint: 5A26 A211 68D9 E5AA 176A 1AA3 7A89 5E0B 040A 7431

This email and any attachments may contain information that has been classified as Confidential or Restricted if indicated as such. It is intended exclusively for the use of the individual(s) to whom it is addressed. If inappropriately disclosed, this information could seriously damage the mission, safety or integrity of an agency, its staff, or its constituents. This information may be protected by federal and state laws or regulations. Retransmission or forwarding of this email must only be done after receiving explicit written approval from the original sender of the email. The data must only be stored in encrypted format.

If you are not the intended recipient, you may not use, copy, distribute, or forward this message or contents to anyone. If you have received this email in error, please notify the sender immediately and delete the email from your email system.

--- End Message ---

--- Begin Message ---

To: 1082820-close@bugs.debian.org
Subject: Bug#1082820: fixed in cups-filters 1.28.17-3+deb12u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 06 Oct 2024 16:32:38 +0000
Message-id: <E1sxUBS-00CpfD-2q@fasolo.debian.org>
Reply-to: Thorsten Alteholz <debian@alteholz.de>

Source: cups-filters
Source-Version: 1.28.17-3+deb12u1
Done: Thorsten Alteholz <debian@alteholz.de>

We believe that the bug you reported is fixed in the latest version of
cups-filters, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1082820@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated cups-filters package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 26 Sep 2024 23:45:05 +0200
Source: cups-filters
Architecture: source
Version: 1.28.17-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Closes: 1082820 1082827
Changes:
 cups-filters (1.28.17-3+deb12u1) bookworm-security; urgency=high
 .
   * CVE-2024-47076 (Closes: #1082827)
     cfGetPrinterAttributes5(): Validate response attributes before return
   * CVE-2024-47176 (Closes: #1082820)
     Default BrowseRemoteProtocols should not include "cups" protocol
Checksums-Sha1:
 69e84346802d34af037726e757d75907cf65aeb8 3013 cups-filters_1.28.17-3+deb12u1.dsc
 916cc1ebc2533a745b8a04233700d559ab91ed87 1511993 cups-filters_1.28.17.orig.tar.gz
 3150250b38d18b60b19f3b285c93aeae9ffc0c78 86864 cups-filters_1.28.17-3+deb12u1.debian.tar.xz
 0a3ae6f538460d5ba79614460790d76ed3cd61f5 9989 cups-filters_1.28.17-3+deb12u1_source.buildinfo
Checksums-Sha256:
 b7f5b3e397a851ff64f002b8a3315907ad228c872832071f8e7368812fc40e50 3013 cups-filters_1.28.17-3+deb12u1.dsc
 ade6e4327e7eba1646881aaa4ca82a0df5d44e3b3b16326a5d3f04e975ab595c 1511993 cups-filters_1.28.17.orig.tar.gz
 bf368f1104cec4f0c50414d9e8b4bf9e267cc96eeee607423c28c946015febac 86864 cups-filters_1.28.17-3+deb12u1.debian.tar.xz
 1ea2d4daf023d83fdc053d99ae3c9ef5faf67694e8c44a5c508d790a49345a4d 9989 cups-filters_1.28.17-3+deb12u1_source.buildinfo
Files:
 93eb72dd8018d31ea3b19db261fe3eff 3013 net optional cups-filters_1.28.17-3+deb12u1.dsc
 389aa99780c9b5ac012fc4b2d29e5cba 1511993 net optional cups-filters_1.28.17.orig.tar.gz
 1848fc6d71d97dc47119f63ad11e9183 86864 net optional cups-filters_1.28.17-3+deb12u1.debian.tar.xz
 f8922db6dffbb1739714237ac00beb21 9989 net optional cups-filters_1.28.17-3+deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmb4GF5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRyDGD/9AN3Xh3QekmOzdLkMMHwyWf5mtoqhb
uMHdy9NH3Q6M2h3ewS62IDQmTlq7viMbF1INSbvrPJcJo4A3EuBgvF90J9H04bDG
6A0/5FNdvG/obk/WtEaR+7C+ELApRIk7SnqNXNa8wF607/bJ9KckIpItTwAsxnNj
S8QteFSJt3nZITrALlwcQRaYRo4mAgL6H73sPGi2GQto80xAek6KFvIQNsvSsKMQ
4G0L1vtEoTQ9ZZ44cgP3zgFmSPJc2BO4F86U3h3kjxTszzLs6txnB6ChbZCizHob
aYVJXKAJpxD0joiIZvtB8sAfegIwhr6oVUh5lEkjtrad0qDqptmWr6UHYW6XDPlQ
ejWqOD0keZm5Bjqk13sgfSFxnKwYkGiP8qCfGRZ5G9xDhnwFo+DwlOtS+YhhjFs/
Q+xO6T4i75ZXjbWrNh2IEOUyrcxJklaRfM4QshRlU2HCfR85/3GIWHuSboNRNCt5
PVgELgT38bY4FysqxvznHslAp3liZYQ7OV45I2/ROJsQ6Dx8mGkP4lx5ErTfwv1G
4yR93KM06PNwab+88rCHFLNXH1A7o+QRQ1ZOw5t87jrIwbToXiglxqVgTmQ2gHU5
EStYVpVOmngExN1R3pMTyXrulzLbXbGBzyEyVwccdAigafB07nEgGoRNccR9xTN3
GdFIoODujFEoZA==
=mUxM
-----END PGP SIGNATURE-----

Attachment: pgpGlKSAX9qXB.pgp
Description: PGP signature

--- End Message ---

Reply to: