New 9.9 vulnerability in your cups (original) (raw)

September 27, 2024, 7:37am 1

thephatlee (Marko Jokinen) September 27, 2024, 7:46am 2

If i am not totalky wrong printer and cups services on fedira are disabled by default so no worry unless you enqble those and if so blick port 631 and all good for now

frankjunior (martin luther) September 27, 2024, 7:48am 3

grumpey (Joe Walker) September 27, 2024, 8:50am 4

Espionage724 (Espionage724) September 27, 2024, 9:22am 5

Is it an issue on F41 beta? The service check on the RHEL page shows the service inactive and disabled

espionage724@Spinesnap:~$ sudo systemctl status cups-browsed
○ cups-browsed.service - Make remote CUPS printers available locally
     Loaded: loaded (/usr/lib/systemd/system/cups-browsed.service; disabled; pr>
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: inactive (dead)

It sounds like that service would only be needed if the printer you’re trying to use advertises its own CUPS server and you want to connect to that CUPS server, instead of another protocol like IPP? I added an IPP printer through CUPS earlier and didn’t notice the service activate.

vekruse (Villy Kruse) September 27, 2024, 11:56am 6

Only if you enable cups-browsed. That is the same for every other Fedora releases.

You only need cups-browsed if you want the printer to be configured automatically. When using a printer configuration tool, the tool can discover printers even without the cups-browsed.

skyeforeverblue (Luci Chappelle) September 27, 2024, 12:01pm 7

Should I be worried about this? My printer is so old it doesn’t print wirelessly at all; I have to copy files to USB and take them to the printer like a loser.

py0xc3 (Chris) September 27, 2024, 12:10pm 8

In case we still have a F39 user here who uses cups, it would be nice to test if the build for F39 is working, and then add +1 karma in bodhi: FEDORA-2024-cf6ab63871 — security update for cups, cups-browsed, & 2 more — Fedora Updates System

The F40 and F41 builds have already sufficient karma, but the one for F39 needs one more karma to formally fulfill the +3 karma criteria.

You do not need to test all the BZ# stuff, just test if it generally works and does what cups is supposed to do, and then add karma +1.

vekruse (Villy Kruse) September 27, 2024, 2:42pm 9

It is not about your printer, but about the cups-browser daemon on your system. In your case, you could turn off all cups related services and good is.

gnwiii (George N. White III) September 27, 2024, 2:52pm 10

Multiple Fedora users have posted topics requesting help configuring CUPS printing via legacy PPD’s even though many of the printers involved do support IPP. It would be useful to have some way to recommend using IPP for models that support it (including cases where an IPP printer is connected via USB). There is the OpenPrinting Printer List, from a decade ago, but could be updated to include new printers, with fields for IPP and ipp-usb.

vekruse (Villy Kruse) September 27, 2024, 3:04pm 11

You can check for Mopria certified printers . How reliable that is, I don’t know, but Mopria compliance means that it supports IPP everywhere. Similar for AirPrint certified printers.

The respective websites from the printer companies hardly ever say anything about whether IPP everywhere is supported.

Espionage724 (Espionage724) September 27, 2024, 5:27pm 12

I vaguely recall some Fedora releases automatically picking up my printer without going through CUPS; I found that kind of annoying (it auto-added with odd settings and I’d delete it and re-add it) but I haven’t noticed that F39-F41 beta.

frankjunior (martin luther) September 28, 2024, 3:41am 14

Update your cup if you are in f41
F40

py0xc3 (Chris) September 28, 2024, 10:13am 15

Now also F39 :slight_smile: Every supported release can now update to a fixed version

vekruse (Villy Kruse) September 30, 2024, 8:41am 16

Message from the cups developers
https://openprinting.github.io/OpenPrinting-News-Flash-cups-browsed-Remote-Code-Execution-vulnerability/

With the update from fedora, the cups-browsed will effectively be disabled. If you try to start it, it will stop as there is nothing it can do. For most people that won’t be an issue as cups-browsed is disabled by default out of the box.