Cups is affected by a security vulnerability [26 September 2024]

3 Likes

Pepperidge Farms remembers

I am confused as to why you would share this here…

I think it’s the point on the need for hardened security postures for user-facing services such as printing and accessing Wi-Fi networks, and Torvalds’ opinion (at that time, this is 12+ years old) that it was ridiculous to assert a need for root-level authentication to do such things.

2 Likes

Start actually reading.

Thanks, glad that the vulnerability has been addressed upstream so quickly!

I mean it said 9.9 kernel vulnerability, i wouldn’t really call this that bad, it’s an extremely serious issue but it exclusively affects servers that are set up and regularly using printers without a proper firewall setup (or without a router that has a proper firewall setup between them and the net)

If I understood correctly, this vulnerability can also only really be used if you’re actively using printers since for the code to execute you need to print something.

Basically, only servers set up by imbeciles that are not connected to the internet by router and are using printers frequently could be affected by this.

It’s a serious vulnerability, but 9.9? come on, what a bunch of drama queens.

Virtually no home users would be affected by this and very few servers would be, how many servers fulfill all the required conditions? Cuz it’s a lot of conditions…

From what I understand too, the RCE is pretty hard to execute, however, the fact that by default your computer is completely open to the public isn’t that good either. It is an over-exaggeration, but security researchers seem to usually over-exaggerate such issues.

by default for some distros yeah, it’s pretty bad. not 99/100 bad, if we put windows 10/11 in their natural state sending everything to microsoft as 100/100 benchmark i’d rank it more like a 4/10.

Pretty damn serious but not even in the same ballpark as using windows. It would be in the same ballpark if by default the RCE was easy and all linux machines were vulnerable to it instead of just a tiny handful.

Then again we’re not experts, maybe there’s a way to use this that we don’t see that makes it much worse than it appears…

An expert on CachyOS informed everyone that Arch had already addressed the issue.
It would be good to hear a confirmation from Endeavour OS team.

There isn’t really anything for them to confirm - if fixes have been applied to the packages in Arch’s repos, then they will have filtered through to EOS already because they’re literally the same repos.

Besides which, the issue is only relevant if you use the exploitable service. If you don’t use cups-browsed and therefore don’t have it enabled on your system (since it’s not included or enabled by default, you’d have had to go out of your way to add it so ought to know if you’re actually using it or not) then there’s nothing to worry about.

6 Likes

It seems to be resolved on Debian (updates were published).

They also have enabled this service by default! Unsure if the vulnerability completely fixed for them already with these updates.

I read that and honestly, he isn’t exactly wrong. Almost none of those actions require root to do now on any operating system.

hello @joekamprad joe,

since the problem has been solved by a simple update to cups-browsed-2.0.1-2, it would be good if this announcement could be updated to say that the problem has been solved by updating to cups-browsed-2.0.1-2.
By the way, the security alert still appears in Welcome and ‘software news’.

[https://gitlab.com/endeavouros-filemirror/Important-news/blob/main/README.md]

I myself spent quite a bit of time looking to see if I had a version of the package concerned or if it was up to date

Thanks

1 Like

Some users don’t update their systems as often as they should. As such, they may not actually see that update until next month or even next year.

Critical news shouldn’t necessarily be removed, but rather disappear over time due to newer critical news.

1 Like

If I recall from one of the advisories, maybe this one, not only was cups-browserd affected, but libcupsfilters and libppd, and cups-filters. I thought there was another package too. All arrive with an -Syu or whatever incantation one uses.

1 Like

No, the exlpoit do it possible to add a fake printer remotely. to see how this works look at this link: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

2 Likes