CVE-2014-4336
published 2014-06-22CVE-2014-4336: The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary…
PriorityP430medium5.8CVSS 2.0
AVAACLAuNCPIPAP
EPSS
1.06%
60.4th percentile
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | cups-filters | < cups-filters 1.0.53-1 (bookworm) | cups-filters 1.0.53-1 (bookworm) |
| linuxfoundation | cups-filters | <= 1.0.52 | — |
| linuxfoundation | cups-filters | >= 0 < 1.0.53-1 | 1.0.53-1 |
| linuxfoundation | cups-filters | >= 0 < 1.0.53-1 | 1.0.53-1 |
| linuxfoundation | cups-filters | >= 0 < 1.0.53-1 | 1.0.53-1 |
| linuxfoundation | cups-filters | >= 0 < 1.0.53-1 | 1.0.53-1 |
CVSS provenance
nvdv2.05.8MEDIUMAV:A/AC:L/Au:N/C:P/I:P/A:P
osv8.3HIGH
vendor_debian8.3HIGH
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
cups-filters: incomplete fix for CVE-2014-2707
vendor_redhat·2014-04-23·CVSS 8.3
CVE-2014-4336 [HIGH] cups-filters: incomplete fix for CVE-2014-2707
cups-filters: incomplete fix for CVE-2014-2707
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
Statement: Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.
Package: cups-filters (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2014-4336: cups-filters - The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cup...
vendor_debian·2014·CVSS 8.3
CVE-2014-4336 [HIGH] CVE-2014-4336: cups-filters - The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cup...
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
Scope: local
bookworm: resolved (fixed in 1.0.53-1)
bullseye: resolved (fixed in 1.0.53-1)
forky: resolved (fixed in 1.0.53-1)
sid: resolved (fixed in 1.0.53-1)
trixie: resolved (fixed in 1.0.53-1)
GHSA
GHSA-w4jh-3cpq-48pp: The generate_local_queue function in utils/cups-browsed
ghsa_unreviewed·2022-05-14·CVSS 8.3
CVE-2014-4336 [HIGH] CWE-77 GHSA-w4jh-3cpq-48pp: The generate_local_queue function in utils/cups-browsed
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
OSV
CVE-2014-4336: The generate_local_queue function in utils/cups-browsed
osv·2014-06-22·CVSS 8.3
CVE-2014-4336 [HIGH] CVE-2014-4336: The generate_local_queue function in utils/cups-browsed
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-4337 cups-filters: cups-browsed DoS via process_browse_data() OOB read
bugzilla·2014-06-20·CVSS 5.8
CVE-2014-4337 [MEDIUM] CVE-2014-4337 cups-filters: cups-browsed DoS via process_browse_data() OOB read
CVE-2014-4337 cups-filters: cups-browsed DoS via process_browse_data() OOB read
Sebastian Krahmer of SUSE reported an out of bounds read flaw in the way cups-browsed handled browse packets. A specially crafted packet could cause cups-browsed read behind the end of the buffer that stores incoming packet and possibly crash. The issue was fixed upstream in version 1.0.53 as part of the following commit, which also fixes CVE-2014-4336 (bug 1091565):
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194
The flaw is in process_browse_data(), which fails to properly check packet length while parsing browse packet.
The original report in SUSE/Novell bugzilla:
https://bugzilla.novell.com/show_bug.cgi?id=871327
Discussion:
All supported Fedora versions are already
Bugzilla
CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
bugzilla·2014-04-25·CVSS 8.3
CVE-2014-4336 [HIGH] CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
According to Sebastian Krahmer, the initial fix for CVE-2014-2707 (bug #1083326) is incomplete:
"
This issue was reported as fixed in 1.0.51:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7189
but it was found that the fix was incomplete with the full fix in 1.0.53:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194
"
The CVE-2014-2707 flaw is regarding the cups-browsed daemon being manipulated to execute arbitrary commands via malicious broadcast packets.
Discussion:
Created cups-filters tracking bugs for this issue:
Affects: fedora-all [bug 1091569]
---
cups-filters-1.0.53-1.fc
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194http://openwall.com/lists/oss-security/2014/04/25/7http://openwall.com/lists/oss-security/2014/06/19/12http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194http://openwall.com/lists/oss-security/2014/04/25/7http://openwall.com/lists/oss-security/2014/06/19/12
2014-06-22
Published