Cups Remote Code Execution Vulnerability Fix Available

CUPS and all of the other "root but with chroot" daemons like Postfix use a legacy security model that will hopefully be modernized to use things like namespaces and cgroups. Hopefully this is a wake up call to start pursuing these migrations faster. Right now it's really painful to get Postfix and friends to not run as root, and the maintainers are very hostile towards enabling this behavior.

I remember Ubuntu&#x27;s decision to abandon its original &quot;no open ports in the default install&quot; policy for the sake of zeroconf&#x2F;mdns was controversial at the time.<p><a href="https:&#x2F;&#x2F;wiki.ubuntu.com&#x2F;ZeroConfPolicySpec" rel="nofollow">https:&#x2F;&#x2F;wiki.ubuntu.com&#x2F;ZeroConfPolicySpec</a> <a href="https:&#x2F;&#x2F;lists.ubuntu.com&#x2F;archives&#x2F;ubuntu-devel&#x2F;2006-July&#x2F;019137.html" rel="nofollow">https:&#x2F;&#x2F;lists.ubuntu.com&#x2F;archives&#x2F;ubuntu-devel&#x2F;2006-July&#x2F;019...</a>

Canonicals little jab under the &quot;importance of coordinated disclosure&quot; section rubs me the wrong way. They seem to be under the impression the recipient of a vulnerability report gets to set the rules, much like when a project receives a bug report. They don&#x27;t. That power rests solely with the researcher, and they can do as they see fit.

Attacking UNIX Systems via CUPS, Part I, 2024-09-26 (linked at end of page)<p><a href="https:&#x2F;&#x2F;www.evilsocket.net&#x2F;2024&#x2F;09&#x2F;26&#x2F;Attacking-UNIX-systems-via-CUPS-Part-I&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.evilsocket.net&#x2F;2024&#x2F;09&#x2F;26&#x2F;Attacking-UNIX-systems...</a>

This morning I just installed the fixed Slackware Packages for cups. It became available on Oct 1 18:00 UTC:<p>&gt;(* Security fix *)<p>&gt;patches&#x2F;packages&#x2F;cups-filters-1.28.17-x86_64-2_slack15.0.txz: Rebuilt. Mitigate security issue that could lead to a denial of service or the execution of arbitrary code. Rebuilt with --with-browseremoteprotocols=none to disable incoming connections, since this daemon has been shown to be insecure. If you actually use cups-browsed, be sure to install the new &#x2F;etc&#x2F;cups&#x2F;cups-browsed.conf.new containing this line:<p>&gt;BrowseRemoteProtocols none<p>&gt;For more information, see:<p>&gt;<a href="https:&#x2F;&#x2F;www.cve.org&#x2F;CVERecord?id=CVE-2024-47176" rel="nofollow">https:&#x2F;&#x2F;www.cve.org&#x2F;CVERecord?id=CVE-2024-47176</a>

This is missing portant info. Nowhere does it say what the fixed package versions are, this is crucial for auditing whether you are fully patched.