Security update for RCE exploits in cups

OpenPrinting / cups-snap

Complete CUPS printing stack in a snap

25 stars 14 forks source link

Security update for RCE exploits in cups #23

Closed wiebeytec closed 4 weeks ago

wiebeytec commented 1 month ago

I noticed the CUPSes I had running that were installed with snap were started in jun, according to ps. The latest snap version, edge, is from 2.4.10-2 2024-08-15. This does not seem to include the fixes for:

CVE-2024-47177
CVE-2024-47176
CVE-2024-47076
CVE-2024-47175

These are high scoring remote code execution vulnerabilities.

I suppose updating is required?

wiebeytec commented 1 month ago

The stable channel is from 2.4.10-1 2024-06-27 and still does not have the security fixes, it seems.

# snap info cups
name:      cups
summary:   The CUPS Snap - The Printing Stack for Linux
publisher: OpenPrinting✓
store-url: https://snapcraft.io/cups
contact:   webmaster@openprinting.org
license:   unset
description: |
  The official Snap of CUPS, the standard printing environment for Linux operating systems
commands:

...snip...

services:
  cups.cups-browsed: simple, enabled, active
  cups.cupsd:        simple, enabled, active
snap-id:      m1eQacDdXCthEwWQrESei3Zao3d5gfJF
tracking:     latest/stable
refresh-date: 4 days ago, at 17:17 CEST
channels:
  latest/stable:    2.4.10-1 2024-06-27 (1058) 71MB -
  latest/candidate: ↑                               
  latest/beta:      ↑                               
  latest/edge:      2.4.11-1 2024-10-01 (1064) 69MB -
installed:          2.4.10-1            (1058) 71MB -

wiebeytec commented 1 month ago

Stable channel is still not updated and therefore exploitable:

# snap info cups
name:      cups
summary:   The CUPS Snap - The Printing Stack for Linux
publisher: OpenPrinting✓
store-url: https://snapcraft.io/cups
contact:   webmaster@openprinting.org
license:   unset
description: |
  The official Snap of CUPS, the standard printing environment for Linux operating systems
commands:
..snip...
services:
  cups.cups-browsed: simple, enabled, active
  cups.cupsd:        simple, enabled, active
snap-id:      m1eQacDdXCthEwWQrESei3Zao3d5gfJF
tracking:     latest/stable
refresh-date: 21 days ago, at 17:17 CEST
channels:
  latest/stable:    2.4.10-1 2024-06-27 (1058) 71MB -
  latest/candidate: ↑                               
  latest/beta:      ↑                               
  latest/edge:      2.4.11-2 2024-10-18 (1067) 71MB -
installed:          2.4.10-1            (1058) 71MB -

tillkamppeter commented 4 weeks ago

Stable channel is updated for all the OpenPrinting Snaps now. Sorry for the delay.