CVE-2024-47076 cups-filters: cfGetPrinterAttributes API does not perform sanitization on returned IPP attributes

Resolves: RHEL-60325

0001-cfGetPrinterAttributes5-Validate-response-attributes.patch

@@ -0,0 +1,67 @@
+diff --git a/backend/implicitclass.c b/backend/implicitclass.c
+index 1593191..3dad471 100644
+--- a/backend/implicitclass.c
++++ b/backend/implicitclass.c
+@@ -126,6 +126,14 @@ main(int  argc,				/* I - Number of command-line args */
+       if ((response = cupsDoRequest(CUPS_HTTP_DEFAULT, request, "/")) ==
+ 	  NULL)
+ 	goto failed;
++
++      if (response && !ippValidateAttributes(response))
++      {
++        fprintf(stderr, "ERROR: The printer %s contains invalid attributes.", queue_name);
++        ippDelete(response);
++        return (CUPS_BACKEND_STOP);
++      }
++
+       for (attr = ippFirstAttribute(response); attr != NULL;
+ 	   attr = ippNextAttribute(response)) {
+ 	while (attr != NULL && ippGetGroupTag(attr) != IPP_TAG_PRINTER)
+diff --git a/utils/cups-browsed.c b/utils/cups-browsed.c
+index 2b30c63..d65fecf 100644
+--- a/utils/cups-browsed.c
++++ b/utils/cups-browsed.c
+@@ -2639,6 +2639,13 @@ record_printer_options(const char *printer) {
+ 		 uri);
+     response = cupsDoRequest(conn, request, resource);
+ 
++    if (response && !ippValidateAttributes(response))
++    {
++      fprintf(stderr, "The printer %s contains invalid attributes.", printer);
++      ippDelete(response);
++      return -1;
++    }
++
+     /* Write all supported printer attributes */
+     if (response) {
+       attr = ippFirstAttribute(response);
+@@ -3576,6 +3583,12 @@ create_remote_printer_entry (const char *queue_name,
+ 		  NULL, pattrs);
+     response = cupsDoRequest(http_printer, request, resource);
+ 
++    if (response && !ippValidateAttributes(response))
++    {
++      fprintf(stderr, "The printer %s contains invalid attributes.", p->queue_name);
++      goto fail;
++    }
++
+     /* Log all printer attributes for debugging */
+     if (debug_stderr || debug_logfile) {
+       debug_printf("Full list of IPP attributes (get-printer-attributes) for printer %s:\n",
+diff --git a/utils/driverless.c b/utils/driverless.c
+index fe61e58..0360bff 100644
+--- a/utils/driverless.c
++++ b/utils/driverless.c
+@@ -513,6 +513,12 @@ generate_ppd (const char *uri)
+ 		NULL, pattrs);
+   response = cupsDoRequest(http, request, resource);
+ 
++  if (response && !ippValidateAttributes(response))
++  {
++    fprintf(stderr, "ERROR: The printer provides invalid attributes, skipping.");
++    goto fail;
++  }
++
+   /* Log all printer attributes for debugging */
+   if (debug) {
+     attr = ippFirstAttribute(response);

cups-filters.spec

@@ -75,6 +75,8 @@ Patch19: 0001-gstoraster-Improved-detection-whether-input-is-PostS.patch
 Patch20: 0001-pdftopdf-Fixed-printing-multiple-copies-on-driverles.patch
 # CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file
 Patch21: cups-filters-CVE-2024-47175.patch
+# CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
+Patch22: 0001-cfGetPrinterAttributes5-Validate-response-attributes.patch
 
 
 %if %{with braille}
@@ -254,6 +256,8 @@ The package provides filters and cups-brf backend needed for braille printing.
 %patch20 -p1 -b .pdftopdf-ncopies
 # CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file
 %patch21 -p1 -b .CVE-2024-47175
+# CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
+%patch22 -p1 -b .CVE-2024-47076
 
 
 %build
@@ -466,6 +470,7 @@ make check
 %changelog
 * Fri Sep 27 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1.20.0-35
 - CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file
+- CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
 
 * Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1.20.0-34
 - RHEL-13211 redhat-lsb unnecessary pulls in cups and avahi dependencies