I hope this goes without saying but please do not run this on machines you don’t own.

The good news:

  • the exploit seems to require user action

The bad news:

  • Device Firewalls are ineffective against this

  • if someone created a malicious printer on a local network like a library they could create serious issues

  • it is hard to patch without breaking printing

  • it is very easy to create printers that look legit

  • even if you don’t hit print the cups user agent can reveal lots of information. This may be blocked at the Firewall

TLDR: you should be careful hitting print

  • pHr34kY@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    CUPS facing the public internet sounds a bit crazy. Why would you print when not physicly near the printer?

  • tetris11@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    2 months ago

    The questionable commit:

        {
          // Add the first line of localized text...
          cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
          while (*text && *text != '\n')
          {
            // Escape ":" and "<"...
            if (*text == ':' || *text == '<')
              cupsFilePrintf(fp, "<%02X>", *text);
            else
              cupsFilePutChar(fp, *text);
            text ++;
          }
          cupsFilePuts(fp, ": \"\"\n");
        }
    

    Can someone explain to me how this allows arbitrary code execution? As far as I can see, all it does iterate through a string and markup some special characters.

    • somtwo@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      From what I understand, this allows arbitrary command execution. So, an attacker can specify a string of text that something on the affected system will just plop into a command line and execute.

    • Tyoda@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      2 months ago

      Any self-respecting distro pushed an update to fix this days ago, so just updating (and restarting cups) will do. But if you don’t print anyway, you might as well disable it.

  • penquin@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Man, this is such a silly and unfortunate exploit. Damn! I hope it gets patched quick.