Re: CUPS printing system vulnerabilities

[Alan Coopersmith <alan.coopersmith () oracle com>]

On 9/26/24 15:11, Solar Designer wrote:
> A lot of drama around the disclosure of those issues was going on for
> maybe a month now, with public tweets about the disclosure process and
> the issues affecting many distros but excluding detail on the issues
> (not even CUPS was specifically mentioned until very recently).  Per
> those tweets, the issues were communicated to some distro vendors via
> CERT/CC VINCE and a vendor planned to bring them to the distros list on
> September 30 with public disclosure on October 6.  Unfortunately, the
> information leaked prematurely and thus Simone decided on full public
> disclosure today at 20:00 UTC pre-announcing it only 2 hours in advance.

Once it was learned that the information was leaked, the vendors suggested
ending the embargo today, and both evilsocket & OpenPrinting agreed to it,
with the coordinated end at 20:00 UTC.

OpenPrinting has started publishing fixes as well now:

CVE-2024-47175: https://github.com/OpenPrinting/libppd/commit/d681747ebf
CVE-2024-47076: https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3

and a temporary workaround for CVE-2024-47176 in:
https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris