Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <74f1ad93-9e09-4a99-9e36-a04f7d78a183@redhat.com>
Date: Thu, 11 Sep 2025 15:05:53 +0200
From: Zdenek Dohnal <zdohnal@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-58364 cups: Remote DoS via null dereference

Hi all!

There is a moderate (CVSS base metrics 6.5) security vulnerability found 
in CUPS project in `ipp_read_io()` function.


    Description


      Summary

An unsafe deserialization and validation of printer attributes, causes 
null dereference in libcups library


      Details

The combination of:

|request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES) response = 
cupsDoRequest(http_xyz, request, resource); 
ippValidateAttributes(response) |

Is shown in two places in OpenPrinting:

|cups/scheduler/ipp.c libcupsfilters/cupsfilters/ipp.c |

Due to a logic error in |ipp_read_io()| which is called internally by 
|cupsDoRequest()|, |ippValidateAttributes()| has a null dereference.
The null dereference happens in these lines |for (ptr = 
attr->values[i].string.text; *ptr; ptr ++)|
This can happen if an attacker responds with a crafted printer 
attributes response.


      PoC

If you want to reproduce it locally, and to debug it easier, you can use 
: local_poc.zip
Compile this binary that uses the flow of |ipp_read_io() |& 
|ippValidateAttributes() |to reproduce the bug - it will crash once run.


      Impact

This is a remote DoS vulnerability available in local subnet in default 
configurations. It can cause the cups & cups-browsed to crash, on all 
the machines in local network who are listening for printers (so by 
default for all regular linux machines).

On systems where the vulnerability CVE-2024-47176 (cups-filters 
1.x/cups-browsed 2.x vulnerability) was not fixed, and the firewall on 
the machine does not reject incoming communication to IPP port, and the 
machine is set to be available to public internet, attack vector 
"Network" is possible. The current versions of CUPS and cups-browsed 
projects have the attack vector "Adjacent" in their default configurations.

Metrics:


        CVSS v3 base metrics

Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Credit - https://github.com/SilverPlate3

Patch

https://github.com/OpenPrinting/cups/commit/e58cba9d6f


Have a nice day!


Zdenek

-- 
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC

Download attachment "local_poc.zip" of type "application/zip" (3968 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.