On 9/26/24 6:11 PM, Solar Designer wrote:
* CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631
trusting any packet from any source to trigger a
Get-Printer-Attributes IPP request to an attacker controlled URL.
This seems like a plausible and precise description for a vulne
All,
For the _ppdCreateFromIPP code in cups/ppd-cache.c, the commits for CUPS 2.5
are:
8361420cb Escape localized strings in PPDs.
dfb947e13 Fix localization of finishing templates and general presets.
5a4803788 PPDize preset and template names.
bcd720b06 Refactor make-and-model
On Fri, Sep 27, 2024 at 01:49:52AM +0200, Solar Designer wrote:
> Thanks Alan! On Twitter, Alan further clarified that "once it was clear
> the info was out there, the distro makers wanted to end the embargo so
> they could publish advisories telling users to disable cups-browsed
> instead of wait
Hi Alex,
Mike has more info about those commits, I've added him in the loop here.
I'm sorry that I cannot provide much more info - there is Fedora commit
from Justin https://src.fedoraproject.org/rpms/cups/c/d0eba90f305d which
should cover Mike's fixes, but I don't know which was for which iss
On Thu, Sep 26, 2024 at 03:43:23PM -0700, Alan Coopersmith wrote:
> On 9/26/24 15:11, Solar Designer wrote:
> >A lot of drama around the disclosure of those issues was going on for
> >maybe a month now, with public tweets about the disclosure process and
> >the issues affecting many distros but exc
On 9/26/24 15:11, Solar Designer wrote:
A lot of drama around the disclosure of those issues was going on for
maybe a month now, with public tweets about the disclosure process and
the issues affecting many distros but excluding detail on the issues
(not even CUPS was specifically mentioned until
