From upstream: "If you use beh to create an accessible network printer, this security vulnerability can cause remote code execution." Advisory: https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-gpxc-v2m8-fr3x No updated release yet, but a commit in the repo: https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65
You can pull backported patch from debian, if you want to.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c29811eb73520dcfab06a38a184c8f4bf358793 commit 2c29811eb73520dcfab06a38a184c8f4bf358793 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-05-24 08:01:57 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-05-24 08:04:46 +0000 net-print/cups-filters: drop 1.28.15-r1, 1.28.16-r3, 1.28.17-r1 Bug: https://bugs.gentoo.org/906944 Signed-off-by: Matthias Maier <tamiko@gentoo.org> net-print/cups-filters/Manifest | 2 - .../cups-filters/cups-filters-1.28.15-r1.ebuild | 130 ------------------ .../cups-filters/cups-filters-1.28.16-r3.ebuild | 144 -------------------- .../cups-filters/cups-filters-1.28.17-r1.ebuild | 149 --------------------- 4 files changed, 425 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8827cf3d0bb159273e683698824d4572882af9e commit d8827cf3d0bb159273e683698824d4572882af9e Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-05-24 08:00:01 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-05-24 08:04:46 +0000 net-print/cups-filters: apply patch for CVE-2023-24805 Bug: https://bugs.gentoo.org/906944 Signed-off-by: Matthias Maier <tamiko@gentoo.org> .../cups-filters/cups-filters-1.28.17-r2.ebuild | 150 ++++++++++++++ .../cups-filters-1.28.17-CVE-2023-24805.patch | 225 +++++++++++++++++++++ 2 files changed, 375 insertions(+)
Ping. Can vulnerable version 1.28.17 be removed?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=776d18384108722f0d7f23ff86807acd7150ec79 commit 776d18384108722f0d7f23ff86807acd7150ec79 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-12-22 01:22:51 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-12-22 01:27:22 +0000 net-print/cups-filters: drop 1.28.17 Bug: https://bugs.gentoo.org/906944 Signed-off-by: John Helmert III <ajak@gentoo.org> net-print/cups-filters/cups-filters-1.28.17.ebuild | 147 --------------------- 1 file changed, 147 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=13307cb5778acc25f47ab91c29f839443f3a4cf8 commit 13307cb5778acc25f47ab91c29f839443f3a4cf8 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-05 14:26:44 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-05 14:27:10 +0000 [ GLSA 202401-06 ] CUPS filters: Remote Code Execution Bug: https://bugs.gentoo.org/906944 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-06.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
