Re: CUPS printing system vulnerabilities

[Michael Sweet <msweet () msweet org>]

All,

For the _ppdCreateFromIPP code in cups/ppd-cache.c, the commits for CUPS 2.5 are:

    8361420cb Escape localized strings in PPDs.
    dfb947e13 Fix localization of finishing templates and general presets.
    5a4803788 PPDize preset and template names.
    bcd720b06 Refactor make-and-model code.
    96b3bdf01 Validate URIs and attribute names before putting them in the generated PPD.

The corresponding commits in the 2.4.x branch are:

    2abe1ba8a Fix warnings for unused vars.
    1e6ca5913 Quote PPD localized strings.
    e0630cd18 PPDize preset and template names.
    04bb2af45 Refactor make-and-model code.
    9939a70b7 Mirror IPP Everywhere printer changes from master.

I've attached a diff from v2.4.10 with these changes:

Attachment: ppd-cache.patch
Description:

> On Sep 26, 2024, at 8:09 PM, Zdenek Dohnal <zdohnal () redhat com> wrote:
> > ...
> > https://github.com/OpenPrinting/cups/commit/8361420cbbfa2e729545c4c537c49fc6322c9631
> >
> > "Escape localized strings in PPDs", which is similar to the last hunk in
> > "Prevent PPD generation based on invalid IPP response" CVE-2024-47175
> > libppd commit referenced by Alan above.
> >
> > Possibly unrelated to today's disclosure but also security-relevant is:
> >
> > https://github.com/OpenPrinting/cups/commit/e3467edf3be2d20a022495d9726a741e36768caf
> >
> > "Update httpConnectURI to do X.509 pinning, and use it when doing the IPP"
> >
> > Zdenek, I hope you will soon clarify which commits fix what issues, to
> > assist with distro backports.  I understand you're still busy getting
> > these in now and it's probably night time for you, so follow up when you
> > have a moment later, please.
> >
> > Thanks,
> >
> > Alexander
> -- 
> Zdenek Dohnal
> Senior Software Engineer
> Red Hat, BRQ-TPBC

________________________
Michael Sweet