Bug 31939

Summary: cups-filters new security issue CVE-2023-24805
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: cups-filters-1.28.7-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-05-18 18:30:09 CEST 
A security issue fixed upstream in cups-filters has been announced:
https://www.openwall.com/lists/oss-security/2023/05/17/5

Commits to fix the issue have been linked in the message above.

The fixes will be included in versions 2.0.0 and 1.28.18.

Mageia 8 is also affected.
David Walser 2023-05-18 18:30:21 CEST

Status comment: (none) => Fixed upstream in 1.28.18
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-05-19 20:18:20 CEST 
Ubuntu has issued an advisory for this on May 17:
https://ubuntu.com/security/notices/USN-6083-1
Comment 2 David Walser 2023-05-19 20:28:50 CEST 
SUSE has issued an advisory for this on May 17:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014921.html
Comment 3 David Walser 2023-05-19 20:46:17 CEST 
Fedora has issued an advisory for this today (May 19):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNCGL2ZTAS2GFF23QFT55UFWIDMI4ZJK/
Comment 4 Lewis Smith 2023-05-19 21:16:53 CEST 
This pkg has different committers, so assigning this update globally.

Assignee: bugsquad => pkg-bugs

Comment 5 Nicolas Salguero 2023-05-22 10:55:50 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) >> 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. (CVE-2023-24805)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24805
https://www.openwall.com/lists/oss-security/2023/05/17/5
https://ubuntu.com/security/notices/USN-6083-1
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014921.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNCGL2ZTAS2GFF23QFT55UFWIDMI4ZJK/
========================

Updated packages in core/updates_testing:
========================
cups-filters-1.28.7-1.1.mga8
lib(64)cups-filters1-1.28.7-1.1.mga8
lib(64)cups-filters-devel-1.28.7-1.1.mga8

from SRPM:
cups-filters-1.28.7-1.1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Source RPM: cups-filters-1.28.16-5.mga9.src.rpm => cups-filters-1.28.7-1.mga8.src.rpm
Status comment: Fixed upstream in 1.28.18 => (none)
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero

Comment 6 Thomas Andrews 2023-05-25 01:59:27 CEST 
MGA8-64 Plasma system, with an HP color Laserjet CP1215 and cups-pdf printers installed.

No installation issues. Using the procedure from several previous updates, I checked the function of the printers, and both real and virtual functioned normally.

Giving this an OK, and validating. Advisory in comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-05-30 18:48:27 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2023-05-31 08:42:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0189.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED