Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 940313 (CVE-2024-47076, GHSA-w63j-6g73-wmg5) - <net-print/libcupsfilters-2.1_beta1: Insufficient input validation
Summary: <net-print/libcupsfilters-2.1_beta1: Insufficient input validation
Status: IN_PROGRESS
Alias: CVE-2024-47076, GHSA-w63j-6g73-wmg5
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/OpenPrinting/libcu...
Whiteboard: B4 [stable]
Keywords:
Depends on: 940015
Blocks: 940312
  Show dependency tree
 
Reported: 2024-09-26 20:04 UTC by Sam James
Modified: 2024-10-18 15:17 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-09-26 20:04:20 UTC
From https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

> CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
Comment 1 Larry the Git Cow gentoo-dev 2024-09-26 21:12:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7fa423265b666d24d4a9acf27030cf701fb4976

commit f7fa423265b666d24d4a9acf27030cf701fb4976
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-26 21:10:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-26 21:11:20 +0000

    net-print/cups: backport PPD validation fixes
    
    These fixes are in net-print/cups itself, which was not actually
    referenced in the 4 CVEs in the CUPS writeup mentioned in bug 940312.
    
    But they're also the only patches available right now, and they're clearly
    related, so let's pull them in as others are doing too.
    
    Specifically, it pulls in the following from the 2.4.x branch:
    * 313c388dbc023bbcb75d1efed800d0cfc992a6cc
    * 9939a70b750edd9d05270060cc5cf62ca98cfbe5
    * 04bb2af4521b56c1699a2c2431c56c05a7102e69
    * e0630cd18f76340d302000f2bf6516e99602b844
    * 1e6ca5913eceee906038bc04cc7ccfbe2923bdfd
    * 2abe1ba8a66864aa82cd9836b37e57103b8e1a3b
    
    Bug: https://bugs.gentoo.org/940312
    Bug: https://bugs.gentoo.org/940311
    Bug: https://bugs.gentoo.org/940313
    Bug: https://bugs.gentoo.org/940314
    Bug: https://bugs.gentoo.org/940315
    Bug: https://bugs.gentoo.org/940316
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/cups/Manifest              |   1 +
 net-print/cups/cups-2.4.10-r1.ebuild | 322 +++++++++++++++++++++++++++++++++++
 2 files changed, 323 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-09-26 21:21:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=514b7f9c5f97a92ad3e9c4321db99e8fc4cd14a2

commit 514b7f9c5f97a92ad3e9c4321db99e8fc4cd14a2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-26 21:19:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-26 21:20:22 +0000

    net-print/cups-browsed: add 2.0.1
    
    Also, include a mitigation for CVE-2024-47176 (bug #940311) by
    copying the effects of upstream commit 1debe6b140c37e0aa928559add4abcc95ce54aa2,
    i.e. drop 'cups' from --with-browseremoteprotocols=...
    
    (Also, while here, change the casing to match the upstream configure script.)
    
    Bug: https://bugs.gentoo.org/940312
    Bug: https://bugs.gentoo.org/940311
    Bug: https://bugs.gentoo.org/940313
    Bug: https://bugs.gentoo.org/940314
    Bug: https://bugs.gentoo.org/940315
    Bug: https://bugs.gentoo.org/940316
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/cups-browsed/Manifest                  |  1 +
 net-print/cups-browsed/cups-browsed-2.0.1.ebuild | 79 ++++++++++++++++++++++++
 2 files changed, 80 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-09-26 21:35:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7eba3af91f1fd96ebb7491890479e7aef6c649ac

commit 7eba3af91f1fd96ebb7491890479e7aef6c649ac
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-26 21:32:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-26 21:34:07 +0000

    net-print/libppd: add 2.1_beta1
    
    Note that while this is technically a beta, it was a better
    option than backporting patches to 2.0.0 because the relevant
    upstream commit didn't apply cleanly (d681747ebf12602cb426725eb8ce2753211e2477)
    and there's various mostly bug fixes between 2.0.0 and 2.1_beta1.
    
    The only new feature is adding libcups-3 support which should be harmless.
    
    i.e. The delta betewen 2.0.0 and 2.1_beta1 is almost entirely, modulo
    libcups-3 support, stuff we would want to backport anyway (obvious and
    trivial bug fixes).
    
    Bug: https://bugs.gentoo.org/940312
    Bug: https://bugs.gentoo.org/940311
    Bug: https://bugs.gentoo.org/940313
    Bug: https://bugs.gentoo.org/940314
    Bug: https://bugs.gentoo.org/940315
    Bug: https://bugs.gentoo.org/940316
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/libppd/Manifest                |  1 +
 net-print/libppd/libppd-2.1_beta1.ebuild | 54 ++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2024-09-26 22:06:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec56d5dd8051dcfb81e1496248a78b260fe20f64

commit ec56d5dd8051dcfb81e1496248a78b260fe20f64
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-26 22:05:20 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-26 22:06:06 +0000

    net-print/libppd: add CVE-2024-47175 patch
    
    I left this out when rebasing on the beta.
    
    Bug: https://bugs.gentoo.org/940312
    Bug: https://bugs.gentoo.org/940311
    Bug: https://bugs.gentoo.org/940313
    Bug: https://bugs.gentoo.org/940314
    Bug: https://bugs.gentoo.org/940315
    Bug: https://bugs.gentoo.org/940316
    Fixes: 7eba3af91f1fd96ebb7491890479e7aef6c649ac
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/libppd-2.1_beta1-CVE-2024-47175.patch    | 560 +++++++++++++++++++++
 net-print/libppd/libppd-2.1_beta1-r1.ebuild        |  58 +++
 2 files changed, 618 insertions(+)
Comment 6 Larry the Git Cow gentoo-dev 2024-09-26 22:13:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=429f7f1f7ec1dd9e83c4b556e829f95f9e8c50f4

commit 429f7f1f7ec1dd9e83c4b556e829f95f9e8c50f4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-26 22:12:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-26 22:12:07 +0000

    net-print/libcupsfilters: add 2.1_beta1
    
    Similar rationale to 7eba3af91f1fd96ebb7491890479e7aef6c649ac in terms
    of why a beta.
    
    Bug: https://bugs.gentoo.org/940312
    Bug: https://bugs.gentoo.org/940311
    Bug: https://bugs.gentoo.org/940313
    Bug: https://bugs.gentoo.org/940314
    Bug: https://bugs.gentoo.org/940315
    Bug: https://bugs.gentoo.org/940316
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/libcupsfilters/Manifest                  |  1 +
 .../libcupsfilters-2.1_beta1-CVE-2024-47076.patch  | 31 +++++++++
 .../libcupsfilters/libcupsfilters-2.1_beta1.ebuild | 75 ++++++++++++++++++++++
 3 files changed, 107 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2024-10-18 15:17:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c85934fb07145906e3aa22cb7d67d71a8a721892

commit c85934fb07145906e3aa22cb7d67d71a8a721892
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-10-18 15:16:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-10-18 15:17:18 +0000

    net-print/libcupsfilters: add 2.1.0
    
    Note that we'd already backported the CVE fixes.
    
    Bug: https://bugs.gentoo.org/940313
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/libcupsfilters/Manifest                  |  1 +
 .../libcupsfilters/libcupsfilters-2.1.0.ebuild     | 71 ++++++++++++++++++++++
 2 files changed, 72 insertions(+)