Source: cups Version: 2.4.16-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for cups. CVE-2026-27447[0]: | OpenPrinting CUPS is an open source printing system for Linux and | other Unix-like operating systems. In versions 2.4.16 and prior, | CUPS daemon (cupsd) contains an authorization bypass vulnerability | due to case-insensitive username comparison during authorization | checks. The vulnerability allows an unprivileged user to gain | unauthorized access to restricted operations by using a user with a | username that differs only in case from an authorized user. At time | of publication, there are no publicly available patches. CVE-2026-34978[1]: | OpenPrinting CUPS is an open source printing system for Linux and | other Unix-like operating systems. In versions 2.4.16 and prior, the | RSS notifier allows .. path traversal in notify-recipient-uri (e.g., | rss:///../job.cache), letting a remote IPP client write RSS XML | bytes outside CacheDir/rss (anywhere that is lp-writable). In | particular, because CacheDir is group-writable by default (typically | root:lp and mode 0770), the notifier (running as lp) can replace | root-managed state files via temp-file + rename(). This PoC clobbers | CacheDir/job.cache with RSS XML, and after restarting cupsd the | scheduler fails to parse the job cache and previously queued jobs | disappear. At time of publication, there are no publicly available | patches. CVE-2026-34979[2]: | OpenPrinting CUPS is an open source printing system for Linux and | other Unix-like operating systems. In versions 2.4.16 and prior, | there is a heap-based buffer overflow in the CUPS scheduler when | building filter option strings from job attribute. At time of | publication, there are no publicly available patches. CVE-2026-34980[3]: | OpenPrinting CUPS is an open source printing system for Linux and | other Unix-like operating systems. In versions 2.4.16 and prior, in | a network-exposed cupsd with a shared target queue, an unauthorized | client can send a Print-Job to that shared PostScript queue without | authentication. The server accepts a page-border value supplied as | textWithoutLanguage, preserves an embedded newline through option | escaping and reparse, and then reparses the resulting second-line | PPD: text as a trusted scheduler control record. A follow-up raw | print job can therefore make the server execute an attacker-chosen | existing binary such as /usr/bin/vim as lp. At time of publication, | there are no publicly available patches. CVE-2026-34990[4]: | OpenPrinting CUPS is an open source printing system for Linux and | other Unix-like operating systems. In versions 2.4.16 and prior, a | local unprivileged user can coerce cupsd into authenticating to an | attacker-controlled localhost IPP service with a reusable | Authorization: Local ... token. That token is enough to drive | /admin/ requests on localhost, and the attacker can combine CUPS- | Create-Local-Printer with printer-is-shared=true to persist a | file:///... queue even though the normal FileDevice policy rejects | such URIs. Printing to that queue gives an arbitrary root file | overwrite; the PoC below uses that primitive to drop a sudoers | fragment and demonstrate root command execution. At time of | publication, there are no publicly available patches. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27447 https://www.cve.org/CVERecord?id=CVE-2026-27447 [1] https://security-tracker.debian.org/tracker/CVE-2026-34978 https://www.cve.org/CVERecord?id=CVE-2026-34978 [2] https://security-tracker.debian.org/tracker/CVE-2026-34979 https://www.cve.org/CVERecord?id=CVE-2026-34979 [3] https://security-tracker.debian.org/tracker/CVE-2026-34980 https://www.cve.org/CVERecord?id=CVE-2026-34980 [4] https://security-tracker.debian.org/tracker/CVE-2026-34990 https://www.cve.org/CVERecord?id=CVE-2026-34990 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
