It was reported [1] that cups-browsed fails to properly sanitise data from the network when creating IPP printer scripts. As a result, an attacker can remotely create a script containing arbitrary commands, which will be executed as the "lp" user when the associated printer is used. This is the same vulnerability reported as CVE-2014-2707 but the existing fixes rely on a string sanitisation function remove_bad_chars() which is not effective. Details: The remove_bad_chars() function in utils/cups-browsed.c uses the "j" variable as the index of the character to replace in the string to be sanitised. Consecutive bad characters cause "j" to be decremented, so can result in the bad character remaining unaffected. The variables sanitised by remove_bad_chars() include the "pdl" field from an avahi broadcast packet. This is used to create a shell script: """ snprintf(buffer, sizeof(buffer), "#!/bin/sh\n" "# System V interface script for printer %s generated by cups-browsed\n" "\n" "if [ $# -lt 5 -o $# -gt 6 ]; then\n" " echo \"ERROR: $0 job-id user title copies options [file]\" >&2\n" " exit 1\n" "fi\n" "\n" "# Read from given file\n" "if [ -n \"$6\" ]; then\n" " exec \"$0\" \"$1\" \"$2\" \"$3\" \"$4\" \"$5\" < \"$6\"\n" "fi\n" "\n" "extra_options=\"output-format=%s make-and-model=%s\"\n" "\n" "%s/filter/pdftoippprinter \"$1\" \"$2\" \"$3\" \"$4\" \"$5 $extra_options\"\n", p->name, pdl, make_model, cups_serverbin); """ The above shell script is then passed to the CUPS server. To be vulnerable, a remote host must have the "CreateIPPPrinterQueues Yes" directive in /etc/cups/cups-browsed.conf. That setting is not enabled in RHEL7 by default. Upstream commit: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7333 [1]: https://bugs.linuxfoundation.org/show_bug.cgi?id=1265
Created cups-filters tracking bugs for this issue: Affects: fedora-all [bug 1199132]
According to https://bugzilla.redhat.com/show_bug.cgi?id=1083326#c4, RHEL-7 is not vulnerable to this issue. Statement: Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.
cups-filters-1.0.66-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
cups-filters-1.0.66-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
cups-filters-1.0.53-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.