oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-58364 cups: Remote DoS via null dereference

From: Zdenek Dohnal <zdohnal () redhat com>
Date: Thu, 11 Sep 2025 15:05:53 +0200
Hi all!
There is a moderate (CVSS base metrics 6.5) security vulnerability found in CUPS project in `ipp_read_io()` function. 


   Description


     Summary
An unsafe deserialization and validation of printer attributes, causes null dereference in libcups library 


     Details

The combination of:
|request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES) response = cupsDoRequest(http_xyz, request, resource); ippValidateAttributes(response) | 

Is shown in two places in OpenPrinting:

|cups/scheduler/ipp.c libcupsfilters/cupsfilters/ipp.c |
Due to a logic error in |ipp_read_io()| which is called internally by |cupsDoRequest()|, |ippValidateAttributes()| has a null dereference. The null dereference happens in these lines |for (ptr = attr->values[i].string.text; *ptr; ptr ++)| This can happen if an attacker responds with a crafted printer attributes response. 


     PoC
If you want to reproduce it locally, and to debug it easier, you can use : local_poc.zip Compile this binary that uses the flow of |ipp_read_io() |& |ippValidateAttributes() |to reproduce the bug - it will crash once run. 


     Impact
This is a remote DoS vulnerability available in local subnet in default configurations. It can cause the cups & cups-browsed to crash, on all the machines in local network who are listening for printers (so by default for all regular linux machines).
On systems where the vulnerability CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was not fixed, and the firewall on the machine does not reject incoming communication to IPP port, and the machine is set to be available to public internet, attack vector "Network" is possible. The current versions of CUPS and cups-browsed projects have the attack vector "Adjacent" in their default configurations. 

Metrics:


       CVSS v3 base metrics

Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Credit - https://github.com/SilverPlate3

Patch

https://github.com/OpenPrinting/cups/commit/e58cba9d6f


Have a nice day!


Zdenek

--
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC

Attachment: local_poc.zip
Description:

Previous By Date Next
Previous By Thread Next

Current thread: