← back
CVE-2024-47175

libppd's ppdCreatePPDFromIPP2 function does not sanitize IPP attributes when creating the PPD buffer

CVSS 8.6 HIGHEPSS 73.1%CWE-20
In short

A function in libppd fails to clean up printer attributes when converting IPP data to PPD format, allowing attackers to inject malicious content that could lead to code execution through the Foomatic printing system.

Technical detail

The ppdCreatePPDFromIPP2 function in libppd does not properly validate or sanitize IPP (Internet Printing Protocol) attributes before incorporating them into PPD buffer output. When combined with functions like cfGetPrinterAttributes5, user-controlled input can reach Foomatic rendering, enabling arbitrary code execution; this is a critical component in the CVE-2024-47176 exploit chain.

Summary generated and translated by AI from the official description.
CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Affected products
OpenPrinting · libppd

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5https://github.com/OpenPrinting/libppd/commit/d681747ebf12602cb426725eb8ce2753211e2477https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6https://lists.debian.org/debian-lts-announce/2024/09/msg00047.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0016https://security.netapp.com/advisory/ntap-20241011-0001/https://www.cups.orghttps://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-Ihttp://www.openwall.com/lists/oss-security/2024/09/27/3