Bug 33596 - cups and cups-filters new security issues CVE-2024-47076 and CVE-2024-4717[5-7]
Summary: cups and cups-filters new security issues CVE-2024-47076 and CVE-2024-4717[5-7]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK MGA9-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-27 11:15 CEST by Nicolas Salguero
Modified: 2024-10-07 19:40 CEST (History)
5 users (show)

See Also:
Source RPM: cups-2.4.6-1.2.mga9.src.rpm, cups-filters-1.28.16-6.mga9.src.rpm
CVE: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177
Status comment:


Attachments

Nicolas Salguero 2024-09-27 11:20:30 CEST

Severity: normal => critical
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => cups-2.4.10-4.mga10.src.rpm, cups-browsed-2.0.1-1.mga10.src.rpm, libcupsfilters-2.0.0-2.mga10.src.rpm, libppd-2.0.0-1.mga10.src.rpm, cups-filters-2.0.1-1.mga10.src.rpm, cups-2.4.6-1.2.mga9.src.rpm, cups-filters-1.28.16-6.mga9.src.rpm
CVE: (none) => CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177
Status comment: (none) => Patches available from Fedora and upstream
Summary: cups-filters new security issues CVE-2024-47076 and CVE-2024-4717[5-7] => cups and cups-filters new security issues CVE-2024-47076 and CVE-2024-4717[5-7]

Nicolas Salguero 2024-09-27 15:35:47 CEST

Status comment: Patches available from Fedora and upstream => Patches available from Fedora, Ubuntu and upstream

Comment 2 Lewis Smith 2024-09-27 20:44:15 CEST
Various people have maintained cups etc, so assigning this globally.
Note the links to fixes in comment 0 (thanks NicolasS for those).

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2024-10-03 09:32:20 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system. (CVE-2024-47076)

The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176. (CVE-2024-47175)

`cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to. (CVE-2024-47176)

Any value passed to `FoomaticRIPCommandLine` via a PPD file will be executed as a user controlled command. When combined with other logic bugs as described in CVE_2024-47176, this can lead to remote command execution. (CVE-2024-47177)

References:
https://www.openwall.com/lists/oss-security/2024/09/26/5
https://ubuntu.com/security/notices/USN-7041-1
https://ubuntu.com/security/notices/USN-7043-1
========================

Updated packages in core/updates_testing:
========================
cups-2.4.6-1.3.mga9
cups-common-2.4.6-1.3.mga9
cups-filesystem-2.4.6-1.3.mga9
cups-printerapp-2.4.6-1.3.mga9
lib(64)cups2-2.4.6-1.3.mga9
lib(64)cups2-devel-2.4.6-1.3.mga9

cups-filters-1.28.16-6.1.mga9
lib(64)cups-filters1-1.28.16-6.1.mga9
lib(64)cups-filters-devel-1.28.16-6.1.mga9

from SRPMS:
cups-2.4.6-1.3.mga9.src.rpm
cups-filters-1.28.16-6.1.mga9.src.rpm

Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Status comment: Patches available from Fedora, Ubuntu and upstream => (none)
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Source RPM: cups-2.4.10-4.mga10.src.rpm, cups-browsed-2.0.1-1.mga10.src.rpm, libcupsfilters-2.0.0-2.mga10.src.rpm, libppd-2.0.0-1.mga10.src.rpm, cups-filters-2.0.1-1.mga10.src.rpm, cups-2.4.6-1.2.mga9.src.rpm, cups-filters-1.28.16-6.mga9.src.rpm => cups-2.4.6-1.2.mga9.src.rpm, cups-filters-1.28.16-6.mga9.src.rpm

katnatek 2024-10-04 01:48:05 CEST

Keywords: (none) => advisory

Comment 4 Morgan Leijström 2024-10-04 14:56:08 CEST
mga9-64 OK

Clean update to
- cups-2.4.6-1.3.mga9.x86_64
- cups-common-2.4.6-1.3.mga9.x86_64
- cups-filesystem-2.4.6-1.3.mga9.noarch
- cups-filters-1.28.16-6.1.mga9.x86_64
- lib64cups-filters1-1.28.16-6.1.mga9.x86_64
- lib64cups2-2.4.6-1.3.mga9.x86_64

Tested with Bug 33597 - ghostscript

Just testing printing to boomaga and network printer, and using web interface http://localhost:631/

CC: (none) => fri

Comment 5 PC LX 2024-10-05 15:47:16 CEST
Installed and tested without issues.

Tested:
- printing from multiple applications (e.g. Firefox, Okular, Kate, LibreOffice Writer);
- HP Device Manager (seeing status, ink supplies, print test page);
- scanning using XSane;

Working as usual.



Printer: HP Officejet 4658
System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.52-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Sep 19 20:27:15 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep -P 'cups.*-2.4.6-' | sort
cups-2.4.6-1.3.mga9
cups-common-2.4.6-1.3.mga9
cups-filesystem-2.4.6-1.3.mga9
lib64cups2-2.4.6-1.3.mga9

CC: (none) => mageia

Comment 6 Thomas Andrews 2024-10-06 03:02:05 CEST
MGA9-64 Plasma, i5-7500, nvidia Quadro K620 graphics. No installation issues.

I have three printers:

1. A venerable HP Deskjet 5650, connected via USB.
2. An almost as venerable HP Color Laserjet CP1215, connected via USB.
3. An HP Envy Photo 7858, connected as a network printer via wifi.

The two USB printers printed test pages without issues. 

The wifi-connected printer threw "Device Communication Errors" and would not print until it was removed and re-installed, after which printing proceeded normally. Seems to me that serves as a test of the `cfGetPrinterAttributes5` function mentioned in the advisory.

CC: (none) => andrewsfarm

Comment 7 Len Lawrence 2024-10-06 14:27:49 CEST
mga9, x64
HP Smart Tank 5106 wifi printer

Installed some missing core packages then  performed a clean update.
Restarted cups.
$ libreoffice --writer Your-TV-Licence.pdf
switched to draw and printed the document.
Firefox printed a seven page document from Mageia Wiki.
Printed plain text file from gedit.
Printed postscript file from the command-line using CUPS directly:
$ lpr -Pmothra abc-0.ps

CC: (none) => tarazed25

Comment 8 Thomas Andrews 2024-10-07 02:32:37 CEST
Same network printer as Comment 6, different MGA9-64 Plasma computer.

I needed to remove and re-install the printer before it would print and before getting the update, so that must have had something to do with another, previous update, not related to this one.

There were no installation issues. When asked about using rpmnew as the main file, that is what I chose to do. I rebooted, just in case, and printed a test page from the HP Device manager. Then I used the option within the Device Manager to view the CUPS information for the printer, which looked good.

Looks OK for 64-bit. I will try it with 32-bit hardware a little later.

Whiteboard: (none) => MGA9-64-OK

Comment 9 Thomas Andrews 2024-10-07 04:47:47 CEST
On Foolishness, my Dell Inspiron 5100, the update also works without issues. 

I have determined why I had to re-install the printer. Somehow, and I don't know when it happened, the printer's IP address on my network was changed, incremented by 1. Consequently, the computers could no longer communicate with it.

Giving this both OKs, and validating.

Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 Mageia Robot 2024-10-07 19:40:06 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0327.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.