[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1082822: marked as done (cups-filters: CVE-2024-47177)

Your message dated Tue, 13 May 2025 10:25:59 +0200
with message-id <aCMCF-bKMrdDoKiv@eldamar.lan>
and subject line Re: Bug#1082822: cups-filters: CVE-2024-47177
has caused the Debian Bug report #1082822,
regarding cups-filters: CVE-2024-47177
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1082822: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082822
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: cups-filters
Version: 1.28.17-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for cups-filters.

CVE-2024-47177[0]:
| CUPS is a standards-based, open-source printing system, and cups-
| filters provides backends, filters, and other software for CUPS 2.x
| to use on non-Mac OS systems. Any value passed to
| `FoomaticRIPCommandLine` via a PPD file will be executed as a user
| controlled command. When combined with other logic bugs as described
| in CVE_2024-47176, this can lead to remote command execution.

No fix from upstream yet on this one.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-47177
    https://www.cve.org/CVERecord?id=CVE-2024-47177
[1] https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Hi,

On Fri, Sep 27, 2024 at 09:44:22PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Fri, Sep 27, 2024 at 07:37:03AM +0200, Salvatore Bonaccorso wrote:
> > Source: cups-filters
> > Version: 1.28.17-3
> > Severity: grave
> > Tags: security upstream
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> > 
> > Hi,
> > 
> > The following vulnerability was published for cups-filters.
> > 
> > CVE-2024-47177[0]:
> > | CUPS is a standards-based, open-source printing system, and cups-
> > | filters provides backends, filters, and other software for CUPS 2.x
> > | to use on non-Mac OS systems. Any value passed to
> > | `FoomaticRIPCommandLine` via a PPD file will be executed as a user
> > | controlled command. When combined with other logic bugs as described
> > | in CVE_2024-47176, this can lead to remote command execution.
> > 
> > No fix from upstream yet on this one.
> 
> This one will actually likely not be addressed is my understanding,
> and I am lowering the severity.
> 
> Basically one can argue, that once CVE-2024-47076, CVE-2024-47175 and
> CVE-2024-47176 are fixed, the impact of this CVE is mitigated as well.
> 
> I will add this clarifying note as well to the tracker.

The argument got discussed, recently the assigning CNA rejected the
CVE with:

This candidate is a duplicate of CVE-2024-47076, CVE-2024-47175, and
CVE-2024-47176.

Along we can close the Debian bug as well.

Regards,
Salvatore

--- End Message ---
Reply to: