Re: [Buildroot] [PATCH 1/1] package/cups-filters: fix CVE-2023-24805

From: Peter Korsgaard <peter@korsgaard.com>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Angelo Compagnucci <angelo.compagnucci@gmail.com>,
	Olivier Schonken <olivier.schonken@gmail.com>,
	buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/cups-filters: fix CVE-2023-24805
Date: Thu, 09 Nov 2023 12:17:49 +0100	[thread overview]
Message-ID: <87zfznnpk2.fsf@48ers.dk> (raw)
In-Reply-To: <20231001191522.1799946-1-fontaine.fabrice@gmail.com> (Fabrice Fontaine's message of "Sun, 1 Oct 2023 21:15:22 +0200")

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2023-24805: cups-filters contains backends, filters, and other
 > software required to get the cups printing service working on operating
 > systems other than macos. If you use the Backend Error Handler (beh) to
 > create an accessible network printer, this security vulnerability can
 > cause remote code execution. `beh.c` contains the line `retval =
 > system(cmdline) >> 8;` which calls the `system` command with the operand
 > `cmdline`. `cmdline` contains multiple user controlled, unsanitized
 > values. As a result an attacker with network access to the hosted print
 > server can exploit this vulnerability to inject system commands which
 > are executed in the context of the running server. This issue has been
 > addressed in commit `8f2740357` and is expected to be bundled in the
 > next release. Users are advised to upgrade when possible and to restrict
 > access to network printers in the meantime.

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2023.02.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot