Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 1 Jun 2023 12:35:16 +0200
From: Zdenek Dohnal <>
Subject: [vs] CVE-2023-32324 heap buffer overflow in cupsd

Hi all,

there is currently embargoed CVE-2023-32324 in cups project:


A heap buffer overflow vulnerability would allow a remote attacker to 
lauch a dos attack.


A buffer overflow vulnerability in the function |format_log_line| could 
allow remote attackers to cause a denial-of-service(DoS) on the affected 
system (not verified for possible arbitrary code execution).

The vulnerability affects the commit #c0c4037 and the latest commit 
#4310a07 on the GitHub master branch as well as the latest release 
version v2.4.2. I have only tested these versions so far.

Exploitation of the vulnerability can be triggered when the 
configuration file |cupsd.conf| sets the value of |loglevel |to |DEBUG| 
if the log location is set to a file.


$ git clone
$ cd  cups
$ CFLAGS="-g -fsanitize=address -fPIE" CXXFLAGS="-g -fsanitize=address -fPIE" LDFLAGS="-fsanitize=address" ./configure -with-tls=no --disable-shared

# Now compile cups
$ make -j

# Adjust conf/cupsd.conf to reproduce the crash - enable debug logging to a file and set cupsd to listen on port 8631
$ sed -i 's,LogLevel warn,LogLevel debug,' conf/cupsd.conf
$ sed -i 's,Listen localhost:631,Listen localhost:8631,' conf/cupsd.conf

Run cups and replay the crash.raw

|$ sudo ./scheduler/cupsd -c conf/cupsd.conf -f $ nc 8631 < 
./crash.raw |||

cupsd crashes after the last command and generates the attached ASAN report.




crash.raw attached


Heap buffer overflow.


Committed as

For OpenPriniting CUPS community,

Zdenek Dohnal (CUPS 2.4.x release manager)

Zdenek Dohnal
Senior Software Engineer

Content of type "text/html" skipped

View attachment "0001-Consensus-fix.patch" of type "text/x-patch" (804 bytes)

View attachment "asan_report.txt" of type "text/plain" (3254 bytes)

Download attachment "crash.raw" of type "application/octet-stream" (37881 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.