OESA-2024-2246

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2246
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2024-2246.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2024-2246
Upstream
Published
2024-10-12T11:09:21Z
Modified
2025-09-03T06:20:31.451407Z
Summary
cups-filters security update
Details

This project provides backends, filters, and other software that was once part of the core CUPS distribution but is no longer maintained by Apple Inc. In addition it contains additional filters and software developed independently of Apple, especially filters for the PDF-centric printing workflow introduced by OpenPrinting and a daemon to browse Bonjour broadcasts of remote CUPS printers to make these printers available locally and to provide backward compatibility to the old CUPS broadcasting and browsing of CUPS 1.5.x and older.

Security Fix(es):

CUPS is a standards-based, open-source printing system, and libcupsfilters contains the code of the filters of the former cups-filters package as library functions to be used for the data format conversion tasks needed in Printer Applications. The cfGetPrinterAttributes5 function in libcupsfilters does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.(CVE-2024-47076)

CUPS is a standards-based, open-source printing system, and libppd can be used for legacy PPD file support. The libppd function ppdCreatePPDFromIPP2 does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as cfGetPrinterAttributes5, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.(CVE-2024-47175)

CUPS is a standards-based, open-source printing system, and cups-browsed contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. cups-browsed binds to INADDR_ANY:631, causing it to trust any packet from any source, and can cause the Get-Printer-Attributes IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.(CVE-2024-47176)

CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. (The request is meant to probe the new printer but can be used to create DDoS amplification attacks.)(CVE-2024-47850)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:22.03-LTS-SP1 / cups-filters

Package

Name
cups-filters
Purl
pkg:rpm/openEuler/cups-filters&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.9-5.oe2203sp1

Ecosystem specific 

{
    "noarch": [
        "cups-filters-help-1.28.9-5.oe2203sp1.noarch.rpm"
    ],
    "src": [
        "cups-filters-1.28.9-5.oe2203sp1.src.rpm"
    ],
    "x86_64": [
        "cups-filters-1.28.9-5.oe2203sp1.x86_64.rpm",
        "cups-filters-debuginfo-1.28.9-5.oe2203sp1.x86_64.rpm",
        "cups-filters-debugsource-1.28.9-5.oe2203sp1.x86_64.rpm",
        "cups-filters-devel-1.28.9-5.oe2203sp1.x86_64.rpm"
    ],
    "aarch64": [
        "cups-filters-1.28.9-5.oe2203sp1.aarch64.rpm",
        "cups-filters-debuginfo-1.28.9-5.oe2203sp1.aarch64.rpm",
        "cups-filters-debugsource-1.28.9-5.oe2203sp1.aarch64.rpm",
        "cups-filters-devel-1.28.9-5.oe2203sp1.aarch64.rpm"
    ]
}

openEuler:24.03-LTS / cups-filters

Package

Name
cups-filters
Purl
pkg:rpm/openEuler/cups-filters&distro=openEuler-24.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.15-4.oe2403

Ecosystem specific 

{
    "noarch": [
        "cups-filters-help-1.28.15-4.oe2403.noarch.rpm"
    ],
    "src": [
        "cups-filters-1.28.15-4.oe2403.src.rpm"
    ],
    "x86_64": [
        "cups-filters-1.28.15-4.oe2403.x86_64.rpm",
        "cups-filters-debuginfo-1.28.15-4.oe2403.x86_64.rpm",
        "cups-filters-debugsource-1.28.15-4.oe2403.x86_64.rpm",
        "cups-filters-devel-1.28.15-4.oe2403.x86_64.rpm"
    ],
    "aarch64": [
        "cups-filters-1.28.15-4.oe2403.aarch64.rpm",
        "cups-filters-debuginfo-1.28.15-4.oe2403.aarch64.rpm",
        "cups-filters-debugsource-1.28.15-4.oe2403.aarch64.rpm",
        "cups-filters-devel-1.28.15-4.oe2403.aarch64.rpm"
    ]
}

openEuler:22.03-LTS-SP4 / cups-filters

Package

Name
cups-filters
Purl
pkg:rpm/openEuler/cups-filters&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.9-5.oe2203sp4

Ecosystem specific 

{
    "noarch": [
        "cups-filters-help-1.28.9-5.oe2203sp4.noarch.rpm"
    ],
    "src": [
        "cups-filters-1.28.9-5.oe2203sp4.src.rpm"
    ],
    "x86_64": [
        "cups-filters-1.28.9-5.oe2203sp4.x86_64.rpm",
        "cups-filters-debuginfo-1.28.9-5.oe2203sp4.x86_64.rpm",
        "cups-filters-debugsource-1.28.9-5.oe2203sp4.x86_64.rpm",
        "cups-filters-devel-1.28.9-5.oe2203sp4.x86_64.rpm"
    ],
    "aarch64": [
        "cups-filters-1.28.9-5.oe2203sp4.aarch64.rpm",
        "cups-filters-debuginfo-1.28.9-5.oe2203sp4.aarch64.rpm",
        "cups-filters-debugsource-1.28.9-5.oe2203sp4.aarch64.rpm",
        "cups-filters-devel-1.28.9-5.oe2203sp4.aarch64.rpm"
    ]
}

openEuler:22.03-LTS-SP3 / cups-filters

Package

Name
cups-filters
Purl
pkg:rpm/openEuler/cups-filters&distro=openEuler-22.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.9-5.oe2203sp3

Ecosystem specific 

{
    "noarch": [
        "cups-filters-help-1.28.9-5.oe2203sp3.noarch.rpm"
    ],
    "src": [
        "cups-filters-1.28.9-5.oe2203sp3.src.rpm"
    ],
    "x86_64": [
        "cups-filters-1.28.9-5.oe2203sp3.x86_64.rpm",
        "cups-filters-debuginfo-1.28.9-5.oe2203sp3.x86_64.rpm",
        "cups-filters-debugsource-1.28.9-5.oe2203sp3.x86_64.rpm",
        "cups-filters-devel-1.28.9-5.oe2203sp3.x86_64.rpm"
    ],
    "aarch64": [
        "cups-filters-1.28.9-5.oe2203sp3.aarch64.rpm",
        "cups-filters-debuginfo-1.28.9-5.oe2203sp3.aarch64.rpm",
        "cups-filters-debugsource-1.28.9-5.oe2203sp3.aarch64.rpm",
        "cups-filters-devel-1.28.9-5.oe2203sp3.aarch64.rpm"
    ]
}

openEuler:20.03-LTS-SP4 / cups-filters

Package

Name
cups-filters
Purl
pkg:rpm/openEuler/cups-filters&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.1-6.oe2003sp4

Ecosystem specific 

{
    "noarch": [
        "cups-filters-help-1.26.1-6.oe2003sp4.noarch.rpm"
    ],
    "src": [
        "cups-filters-1.26.1-6.oe2003sp4.src.rpm"
    ],
    "x86_64": [
        "cups-filters-1.26.1-6.oe2003sp4.x86_64.rpm",
        "cups-filters-debuginfo-1.26.1-6.oe2003sp4.x86_64.rpm",
        "cups-filters-debugsource-1.26.1-6.oe2003sp4.x86_64.rpm",
        "cups-filters-devel-1.26.1-6.oe2003sp4.x86_64.rpm"
    ],
    "aarch64": [
        "cups-filters-1.26.1-6.oe2003sp4.aarch64.rpm",
        "cups-filters-debuginfo-1.26.1-6.oe2003sp4.aarch64.rpm",
        "cups-filters-debugsource-1.26.1-6.oe2003sp4.aarch64.rpm",
        "cups-filters-devel-1.26.1-6.oe2003sp4.aarch64.rpm"
    ]
}