A series of vulnerabilities have been found in cups-browsed
and cups-filters
allowing for unauthenticated remote code execution.
The upstream advisories are
- CVE-2024-47176 in cups-browsed,
- CVE-2024-47175 in libppd,
- CVE-2024-47076 in libcupsfilters and
- CVE-2024-47177 in cups-filter.
The write-up from the security researcher that reported the issues: Attacking UNIX systems via CUPS, Part I.
This post serves as a way to inform the community about our progress on mitigating and fixing the issues.
Am I affected?
You are affected, if you have enabled both cups and Avahi in your NixOS configuration through:
services.printing.enable
services.avahi.enable
You can quickly check if cups-browsed
is enabled with systemctl is-enabled cups-browsed.service
.
Workaround
Disable browsed entirely through its avahi dependency
If it is acceptable in your environment, you can disable services.avahi.enable
which will disable the cups-browsed
service entirely.
Disable the browsed systemd service
If you need to keep Avahi, you can disable the cups-browsed
systemd service specifically with:
systemd.services.cups-browsed = {
enable = false;
unitConfig.Mask = true;
}
A new option has also been added to control browsed
independently from Avahi: services.printing.browsed.enable
. The option might not yet be available in your situation, see:
- NixOS unstable: nixos/printing: add option to disable browsed daemon by LeSuisse · Pull Request #344702 · NixOS/nixpkgs · GitHub (PR progress tracker)
- NixOS 24.05: [Backport release-24.05] nixos/printing: add option to disable browsed daemon by github-actions[bot] · Pull Request #344711 · NixOS/nixpkgs · GitHub (PR progress tracker)
Patches
For CVE-2024-47076 in libcupsfilters:
- NixOS unstable: cups-filters: apply patch for CVE-2024-47076 by LeSuisse · Pull Request #344748 · NixOS/nixpkgs · GitHub (PR progress tracker)
- NixOS 24.05: [Backport release-24.05] cups-filters: apply patch for CVE-2024-47076 by github-actions[bot] · Pull Request #344833 · NixOS/nixpkgs · GitHub (PR progress tracker)
For CVE-2024-47175 in libppd: