| 26 Sep 2024 |
 tgerbet | Hum BrowseRemoteProtocols is supposed to default on dnssd cups by default | 20:42:11 |
| tgerbet | But yeah | 20:43:15 |
 Lily Foster | In reply to @tgerbet:matrix.org
Hum BrowseRemoteProtocols is supposed to default on dnssd cups by default Nope, not if you don't supply their default .conf file (which would do that on most distros): https://github.com/OpenPrinting/cups-browsed/blob/c12b9cf5a906ab16971f5d060f291f9a58edadac/daemon/cups-browsed.c#L472 | 20:44:01 |
| tgerbet | Amazing | 20:44:41 |
| tgerbet | Ok so at least we do not have the entry point of the current exploit enabled by default | 20:45:55 |
| Lily Foster | (https://github.com/OpenPrinting/cups-browsed/blob/c12b9cf5a906ab16971f5d060f291f9a58edadac/configure.ac#L188 and https://github.com/OpenPrinting/cups-browsed/blob/c12b9cf5a906ab16971f5d060f291f9a58edadac/daemon/cups-browsed.conf.in#L41 for reference to the .conf default. technically we're still packaging it from cups-filters rather than that new repo, but same deal) | 20:45:56 |
| tgerbet | So we only have the LAN issue for which the exploit has not yet been released | 20:48:51 |
 f0x | it's most likely a very similar exploit, where instead of cups-browsed receiving an UDP package causing it to HTTP lookup a new printer, there's just a fake printer being advertised over mdns | 20:58:25 |
| f0x | also a detail that seems to be missing from the CVE stuff, and only in the blog post at the end, is that the foomatic-rip RCE can only be triggered by actually sending a print job to the faked printer. Which would make user interaction: none incorrect? | 21:02:56 |
| tgerbet | The exploit does not require user interaction from what I see | 21:06:18 |
| f0x | adding the printer does not, but actually causing RCE does | 21:07:05 |
| f0x | as the filter command in the generated PPD is only executed when actually printing with that printer? | 21:07:42 |
|  p14 joined the room. | 21:07:57 |
| f0x | hmm, although there is a mention that this printer injection path can overwrite existing printers | 21:08:25 |
| f0x | but there doesn't seem to be any evidence of that? | 21:10:25 |
| f0x | might be nice to make the cups-filter binaries that are presented to cups configurable https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/printing/cupsd.nix#L39 | 21:25:35 |
| tgerbet | https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 | 21:34:59 |
| 27 Sep 2024 |
|  夜坂雅 joined the room. | 01:59:55 |
|  l0b0 joined the room. | 02:27:51 |
 hexa | so now that https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq86-c7g6-r2h8 hit | 13:12:37 |
| hexa | what do people think about defaulting to BrowseRemoteProtocols dnssd? | 13:12:48 |
| hexa | also, what is a bit sad is that our configuration is types.lines, and not in any way structured | 13:13:42 |
| tgerbet | We already default to BrowseRemoteProtocols dnssd because we do not use their default configuration file and they default to dnssd if no entry is set for BrowseRemoteProtocols | 13:17:57 |
| hexa | oh, so those defaults are out of sync, that is cute | 13:18:24 |
| tgerbet | Yes, it was part of my surprises last night 😅
That said it would be nice to only open 631/udp in the firewall when needed and not all the time | 13:20:23 |
 Sandro 🐧 | In reply to @hexa:lossy.network
also, what is a bit sad is that our configuration is types.lines, and not in any way structured probably would need to be a custom format because they allow some keywords multiple times and it looks to be order depended 🫠 | 14:47:56 |
| Sandro 🐧 | feels like Apache allow style... | 14:48:11 |
| Sandro 🐧 | * feels like Apache allow style... https://manpages.debian.org/testing/cups-browsed/cups-browsed.conf.5.en.html#:~:text=servers%20are%20accepted.-,BrowseAllow,-All%0A%0A%0A%20%20%20%20%20%20%20%20BrowseAllow%20192.168.7.20 | 14:48:19 |
| Sandro 🐧 | Does upgrading to 2.0 help? | 14:49:28 |
| Sandro 🐧 | * Does upgrading to 2.0.1 help? | 14:49:55 |
