Mailing List Archive | ports@openbsd.org

From:: Ian Darwin <ian@darwinsys.com>
Subject:: Re: Remote execution in CUPS
To:: ports@openbsd.org
Date:: Fri, 27 Sep 2024 11:19:47 -0400

Download raw body.

Thread

2024-09-27 12:43 Chris Narkiewicz:
Remote execution in CUPS
- 2024-09-27 15:05 Kirill A. Korinsky:
  Remote execution in CUPS
- - 2024-09-27 15:19 Ian Darwin:
    Remote execution in CUPS
  - - 2024-09-27 18:33 Kirill A. Korinsky:
      Remote execution in CUPS

On 9/27/24 11:05 AM, Kirill A. Korinsky wrote:
> On Fri, 27 Sep 2024 14:43:21 +0200,
> Chris Narkiewicz <hello@ezaquarii.com> wrote:
>> https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
>>
>> Is the cups in ports vulnerable as well?
> OpenBSD mises quite import pices of this attack: cups-browsed
>
> Without it, it isn't so dramatic.
>
Cups is is ports/packages so it is not part of the base system, at all.

And we have cups-browsed in ports/packages and it is a run-depend of 
cups, so it does get installed whenever cups is installed. However, it 
is not enabled by default (you have to enable it with rcctl enable 
cups-browsed or by editing /etc/rc.conf.local), and I hope nobody is 
doing so.

2024-09-27 12:43 Chris Narkiewicz:
Remote execution in CUPS
- 2024-09-27 15:05 Kirill A. Korinsky:
  Remote execution in CUPS
- - 2024-09-27 15:19 Ian Darwin:
    Remote execution in CUPS
  - - 2024-09-27 18:33 Kirill A. Korinsky:
      Remote execution in CUPS