Debian 10158 Published by

The following CUPS (Common UNIX Printing System) updates have been released for Debian GNU/Linux to address an issue with IPP attributes not being properly sanitized when creating PPD files:

Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1187-1 cups-filters security update

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1186-1 cups-filters security update

Debian GNU/Linux 11 (Bullseye):
[SECURITY] [DLA 3905-1] cups-filters security update
[SECURITY] [DLA 3904-1] cups security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5779-1] cups security update
[SECURITY] [DSA 5778-1] cups-filters security update



[SECURITY] [DSA 5779-1] cups security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5779-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 29, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cups
CVE ID : CVE-2024-47175

Simone Margaritelli reported that cups, the Common UNIX Printing System,
does not properly sanitize IPP attributes when creating PPD files, which
may result in the execution of arbitrary code.

For the stable distribution (bookworm), this problem has been fixed in
version 2.4.2-3+deb12u8.

We recommend that you upgrade your cups packages.

For the detailed security status of cups please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/cups

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5778-1] cups-filters security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5778-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 29, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cups-filters
CVE ID : CVE-2024-47076 CVE-2024-47176
Debian Bug : 1082820 1082827

Simone Margaritelli reported several vulnerabilities in cups-filters.
Missing validation of IPP attributes returned from an IPP server and
multiple bugs in the cups-browsed component can result in the execution
of arbitrary commands without authentication when a print job is
started.

For the stable distribution (bookworm), these problems have been fixed in
version 1.28.17-3+deb12u1.

We recommend that you upgrade your cups-filters packages.

For the detailed security status of cups-filters please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/cups-filters

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 3905-1] cups-filters security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3905-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
September 29, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : cups-filters
Version : 1.28.7-1+deb11u3
CVE ID : CVE-2024-47076 CVE-2024-47176
Debian Bug : 1082820 1082827

Simone Margaritelli reported several vulnerabilities in cups-filters.
Missing validation of IPP attributes returned from an IPP server and
multiple bugs in the cups-browsed component can result in the execution
of arbitrary commands without authentication when a print job is
started.

For Debian 11 bullseye, these problems have been fixed in version
1.28.7-1+deb11u3.

We recommend that you upgrade your cups-filters packages.

For the detailed security status of cups-filters please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cups-filters

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3904-1] cups security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3904-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
September 29, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : cups
Version : 2.3.3op2-3+deb11u9
CVE ID : CVE-2024-47175

Simone Margaritelli reported that cups, the Common UNIX Printing System,
does not properly sanitize IPP attributes when creating PPD files, which
may result in the execution of arbitrary code.

For Debian 11 bullseye, this problem has been fixed in version
2.3.3op2-3+deb11u9.

We recommend that you upgrade your cups packages.

For the detailed security status of cups please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cups

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1187-1 cups-filters security update

Package : cups-filters
Version : 1.0.61-5+deb8u5 (jessie)

Related CVEs :
CVE-2024-47176

Simone Margaritelli an issue in cups-filters.
Multiple bugs in the cups-browsed component can result in the execution
of arbitrary commands without authentication when a print job is
started.
(Jessie is only affected by CVE-2024-47176; the code for CVE-2024-47076 is not available)

ELA-1187-1 cups-filters security update


ELA-1186-1 cups-filters security update

Package : cups-filters
Version : 1.11.6-3+deb9u3 (stretch), 1.21.6-5+deb10u2 (buster)

Related CVEs :
CVE-2024-47076
CVE-2024-47176

Simone Margaritelli reported several vulnerabilities in cups-filters.
Missing validation of IPP attributes returned from an IPP server and
multiple bugs in the cups-browsed component can result in the execution
of arbitrary commands without authentication when a print job is
started.

ELA-1186-1 cups-filters security update