Bug#1088610: cups: XSS vulnerability in web interface not backported

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1088610: cups: XSS vulnerability in web interface not backported
From: Josia <r2zqjb9f@dumper.anonaddy.com>
Date: Thu, 28 Nov 2024 14:08:37 +0000
Message-id: <[🔎] 173280291774.12714.3774300865150883411.reportbug@localhost>
Reply-to: Josia <r2zqjb9f@dumper.anonaddy.com>, 1088610@bugs.debian.org

Package: cups
Version: 2.4.2-3+deb12u8
Severity: important
Tags: fixed-upstream
X-Debbugs-Cc: r2zqjb9f@dumper.anonaddy.com

Hello Debian Printing Team,

version 2.4.2 of cups contains an XSS vulnerability that was fixed in commit
988ddfd[0] and published in release v2.4.8[1].

Exploitation is trivial:
"https://localhost:631/admin?DEBUG_LOGGING=onfocus=alert(1) autofocus="

However, no CVE was assigned, so no one backported this patch to
2.4.2-3+deb12u8.

The vulnerability was detected by Tenable, which performs various fuzzing
scans.

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***

[0]
https://github.com/OpenPrinting/cups/commit/988ddfd9e66affdb4ed8714c30de96fb304ef4cb
[1] https://github.com/OpenPrinting/cups/releases/tag/v2.4.8


-- System Information:
Debian Release: 12.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'bookworm-fasttrack')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-28-amd64 (SMP w/3 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE, TAINT_LIVEPATCH
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups depends on:
pn  cups-client            <none>
pn  cups-common            <none>
pn  cups-core-drivers      <none>
pn  cups-daemon            <none>
pn  cups-filters           <none>
pn  cups-ppdc              <none>
pn  cups-server-common     <none>
ii  debconf [debconf-2.0]  1.5.82
pn  ghostscript            <none>
ii  libavahi-client3       0.8-10
ii  libavahi-common3       0.8-10
ii  libc6                  2.36-9+deb12u9
ii  libcups2               2.4.2-3+deb12u8
ii  libgcc-s1              12.2.0-14
ii  libstdc++6             12.2.0-14
ii  libusb-1.0-0           2:1.0.26-1
pn  poppler-utils          <none>
ii  procps                 2:4.0.2-3

Versions of packages cups recommends:
pn  avahi-daemon  <none>
pn  colord        <none>

Versions of packages cups suggests:
pn  cups-bsd                                   <none>
pn  cups-pdf                                   <none>
pn  foomatic-db-compressed-ppds | foomatic-db  <none>
pn  smbclient                                  <none>
ii  udev                                       252.31-1~deb12u1

Reply to:

Prev by Date: Processing of ghostscript_10.04.0~dfsg-2_source.changes
Next by Date: Processed: [bts-link] source package ghostscript
Previous by thread: Processing of ghostscript_10.04.0~dfsg-2_source.changes
Next by thread: [bts-link] source package ghostscript
Index(es):
- Date
- Thread