On 9/26/24 6:11 PM, Solar Designer wrote:
* CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631
trusting any packet from any source to trigger a
Get-Printer-Attributes IPP request to an attacker controlled URL.
This seems like a plausible and precise description for a vulne
All,
For the _ppdCreateFromIPP code in cups/ppd-cache.c, the commits for CUPS 2.5
are:
8361420cb Escape localized strings in PPDs.
dfb947e13 Fix localization of finishing templates and general presets.
5a4803788 PPDize preset and template names.
bcd720b06 Refactor make-and-model
On Fri, Sep 27, 2024 at 01:49:52AM +0200, Solar Designer wrote:
> Thanks Alan! On Twitter, Alan further clarified that "once it was clear
> the info was out there, the distro makers wanted to end the embargo so
> they could publish advisories telling users to disable cups-browsed
> instead of wait
Hi Alex,
Mike has more info about those commits, I've added him in the loop here.
I'm sorry that I cannot provide much more info - there is Fedora commit
from Justin https://src.fedoraproject.org/rpms/cups/c/d0eba90f305d which
should cover Mike's fixes, but I don't know which was for which iss
On Thu, Sep 26, 2024 at 03:43:23PM -0700, Alan Coopersmith wrote:
> On 9/26/24 15:11, Solar Designer wrote:
> >A lot of drama around the disclosure of those issues was going on for
> >maybe a month now, with public tweets about the disclosure process and
> >the issues affecting many distros but exc
On 9/26/24 15:11, Solar Designer wrote:
A lot of drama around the disclosure of those issues was going on for
maybe a month now, with public tweets about the disclosure process and
the issues affecting many distros but excluding detail on the issues
(not even CUPS was specifically mentioned until
Hi,
Simone Margaritelli (evilsocket) has discovered multiple vulnerabilities
in the CUPS printing system and the way it's configured in some distros.
A lot of drama around the disclosure of those issues was going on for
maybe a month now, with public tweets about the disclosure process and
the is
