CVE-2023-4504 – OpenPrinting CUPS/libppd Postscript Parsing Heap Overflow
https://notcve.org/view.php?id=CVE-2023-4504
Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023. Debido a un error al validar la longitud proporcionada por un documento PPD PostScript creado por un atacante, CUPS y libppd son susceptibles a un desbordamiento del búfer y posiblemente a la ejecución de código. Este problema se solucionó en la versión 2.4.7 de CUPS, lanzada en septiembre de 2023. • https://github.com/OpenPrinting/cups/releases/tag/v2.4.7 https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h https://github.com/OpenPrinting/libppd/security/advisories/GHSA-4f65-6ph5-qwh6 https://lists.debian.org/debian-lts-announce/2023/09/msg00041.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WHEJIYMMAIXU2EC35MGTB5LGGO2FFJE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WVS4I7JG3LISFPKTM6ADKJXXEPEEWBQ • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2023-34241 – CUPS vulnerable to use-after-free in cupsdAcceptClient()
https://notcve.org/view.php?id=CVE-2023-34241
OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`. Version 2.4.6 has a patch for this issue. • http://www.openwall.com/lists/oss-security/2023/06/23/10 http://www.openwall.com/lists/oss-security/2023/06/26/1 https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2 https://github.com/OpenPrinting/cups/releases/tag/v2.4.6 https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25 https://lists.debian.org/debian-lts-announce/2023/06/msg00038.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7I7DWGYGE • CWE-416: Use After Free •
CVE-2023-34095 – cpdb-libs vulnerable to buffer overflows via scanf
https://notcve.org/view.php?id=CVE-2023-34095
cpdb-libs provides frontend and backend libraries for the Common Printing Dialog Backends (CPDB) project. In versions 1.0 through 2.0b4, cpdb-libs is vulnerable to buffer overflows via improper use of `scanf(3)`. cpdb-libs uses the `fscanf()` and `scanf()` functions to parse command lines and configuration files, dropping the read string components into fixed-length buffers, but does not limit the length of the strings to be read by `fscanf()` and `scanf()` causing buffer overflows when a string is longer than 1023 characters. A patch for this issue is available at commit f181bd1f14757c2ae0f17cc76dc20421a40f30b7. As all buffers have a length of 1024 characters, the patch limits the maximum string length to be read to 1023 by replacing all occurrences of `%s` with `%1023s` in all calls of the `fscanf()` and `scanf()` functions. • http://www.openwall.com/lists/oss-security/2023/06/14/7 https://github.com/OpenPrinting/cpdb-libs/blob/85555fba64d34f53a2fce099b0488904cc48ed35/cpdb/cpdb-frontend.c#L372 https://github.com/OpenPrinting/cpdb-libs/blob/85555fba64d34f53a2fce099b0488904cc48ed35/tools/cpdb-text-frontend.c#L362 https://github.com/OpenPrinting/cpdb-libs/blob/85555fba64d34f53a2fce099b0488904cc48ed35/tools/cpdb-text-frontend.c#L453 https://github.com/OpenPrinting/cpdb-libs/commit/f181bd1f14757c2ae0f17cc76dc20421a40f30b7 https://github.com/OpenPrinting/cpdb-libs/sec • CWE-121: Stack-based Buffer Overflow •
CVE-2023-32324 – OpenPrinting CUPS vulnerable to heap buffer overflow
https://notcve.org/view.php?id=CVE-2023-32324
OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication. • https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7 https://lists.debian.org/debian-lts-announce/2023/06/msg00001.html https://access.redhat.com/security/cve/CVE-2023-32324 https://bugzilla.redhat.com/show_bug.cgi?id=2209603 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2022-26691 – cups: authorization bypass when using "local" authorization
https://notcve.org/view.php?id=CVE-2022-26691
A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. An application may be able to gain elevated privileges. Se abordó un problema de lógica con una administración de estados mejorada. Este problema es corregido en Security Update 2022-003 Catalina, macOS Monterey versión 12.3, macOS Big Sur versión 11.6.5. • https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0026/MNDT-2022-0026.md https://lists.debian.org/debian-lts-announce/2022/05/msg00039.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQ6TD7F3VRITPEHFDHZHK7MU6FEBMZ5U https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQRIT4H75XV6M42K7ZTARWZ7YLLYQHPO https://support.apple.com/en-us/H • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-697: Incorrect Comparison •