Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Default BrowseRemoteProtocols should not include "cups" protocol
Works around CVE-2024-47176, the fix will be complete removal of CUPS Browsing functionality
- Loading branch information
1debe6bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zdohnal
only a question out of curiosity:
I did not yet try out how things behave with the patch
but from plain looking what the patch changes
I think it does not actually improve that cups-browsed
blindly trusts any incoming packet from any host at UDP port 631
but instead it disables by default listening on UDP port 631.
Do I understand it right?
If yes, then I think it avoids the CVE only when cups-browsed
is run with the new default setting which may not happen
after a RPM package update with a new /etc/cups/cups-browsed.conf
when the user had changed his existing /etc/cups/cups-browsed.conf
perhaps because of things like certain RPM config file handling?
1debe6bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jsmeix You are correct, the current "fix" just disables CUPS browsing by default. Till still needs to rip out the LDAP and CUPS browsing code and do a new release of that...