diff --git a/0001-cfGetPrinterAttributes5-Validate-response-attributes.patch b/0001-cfGetPrinterAttributes5-Validate-response-attributes.patch new file mode 100644 index 0000000..98b294c --- /dev/null +++ b/0001-cfGetPrinterAttributes5-Validate-response-attributes.patch @@ -0,0 +1,67 @@ +diff --git a/backend/implicitclass.c b/backend/implicitclass.c +index 1593191..3dad471 100644 +--- a/backend/implicitclass.c ++++ b/backend/implicitclass.c +@@ -126,6 +126,14 @@ main(int argc, /* I - Number of command-line args */ + if ((response = cupsDoRequest(CUPS_HTTP_DEFAULT, request, "/")) == + NULL) + goto failed; ++ ++ if (response && !ippValidateAttributes(response)) ++ { ++ fprintf(stderr, "ERROR: The printer %s contains invalid attributes.", queue_name); ++ ippDelete(response); ++ return (CUPS_BACKEND_STOP); ++ } ++ + for (attr = ippFirstAttribute(response); attr != NULL; + attr = ippNextAttribute(response)) { + while (attr != NULL && ippGetGroupTag(attr) != IPP_TAG_PRINTER) +diff --git a/utils/cups-browsed.c b/utils/cups-browsed.c +index 2b30c63..d65fecf 100644 +--- a/utils/cups-browsed.c ++++ b/utils/cups-browsed.c +@@ -2639,6 +2639,13 @@ record_printer_options(const char *printer) { + uri); + response = cupsDoRequest(conn, request, resource); + ++ if (response && !ippValidateAttributes(response)) ++ { ++ fprintf(stderr, "The printer %s contains invalid attributes.", printer); ++ ippDelete(response); ++ return -1; ++ } ++ + /* Write all supported printer attributes */ + if (response) { + attr = ippFirstAttribute(response); +@@ -3576,6 +3583,12 @@ create_remote_printer_entry (const char *queue_name, + NULL, pattrs); + response = cupsDoRequest(http_printer, request, resource); + ++ if (response && !ippValidateAttributes(response)) ++ { ++ fprintf(stderr, "The printer %s contains invalid attributes.", p->queue_name); ++ goto fail; ++ } ++ + /* Log all printer attributes for debugging */ + if (debug_stderr || debug_logfile) { + debug_printf("Full list of IPP attributes (get-printer-attributes) for printer %s:\n", +diff --git a/utils/driverless.c b/utils/driverless.c +index fe61e58..0360bff 100644 +--- a/utils/driverless.c ++++ b/utils/driverless.c +@@ -513,6 +513,12 @@ generate_ppd (const char *uri) + NULL, pattrs); + response = cupsDoRequest(http, request, resource); + ++ if (response && !ippValidateAttributes(response)) ++ { ++ fprintf(stderr, "ERROR: The printer provides invalid attributes, skipping."); ++ goto fail; ++ } ++ + /* Log all printer attributes for debugging */ + if (debug) { + attr = ippFirstAttribute(response); diff --git a/cups-filters.spec b/cups-filters.spec index 553397e..f4e32e9 100644 --- a/cups-filters.spec +++ b/cups-filters.spec @@ -75,6 +75,8 @@ Patch19: 0001-gstoraster-Improved-detection-whether-input-is-PostS.patch Patch20: 0001-pdftopdf-Fixed-printing-multiple-copies-on-driverles.patch # CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file Patch21: cups-filters-CVE-2024-47175.patch +# CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes +Patch22: 0001-cfGetPrinterAttributes5-Validate-response-attributes.patch %if %{with braille} @@ -254,6 +256,8 @@ The package provides filters and cups-brf backend needed for braille printing. %patch20 -p1 -b .pdftopdf-ncopies # CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file %patch21 -p1 -b .CVE-2024-47175 +# CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes +%patch22 -p1 -b .CVE-2024-47076 %build @@ -466,6 +470,7 @@ make check %changelog * Fri Sep 27 2024 Zdenek Dohnal - 1.20.0-35 - CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file +- CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes * Mon Feb 26 2024 Zdenek Dohnal - 1.20.0-34 - RHEL-13211 redhat-lsb unnecessary pulls in cups and avahi dependencies