Wtf???? "All GNU/Linux"???? This guy made me think Linus personally had to descend to Kernel-land and fix perhaps the most horrendous memory bug in existence. But no, surely CUPS IS ON EVERY MACHINE, RIGHT??????????
Fuck you to whoever blew this out of proportion.
I had a moment of actual laughter.
I was expecting a kernel issue handling networking connections or SSH or who the fuck knows but... cups?
Printers, they ruin everything.
Loads of complex code exposed to an assumed trusted network is the model of printers. They’re going to be full of security issues.
This stuff should be sandboxed and then never, ever exposed to the Internet.
I'm always befuddled how these things end up public on the internet. (I'm not really.)
Like, it's not like the printer is the one poking holes in your firewall while you sleep.*
*If it is, then you should feel great shame, throw away anything more complicated than a pair of dull scissors, and get a job digging holes then filling them back in.
the reporter is a real asshat, judging by their twitter.
first:
then, later:
Blue check on Twitter... Someone who's paying $10/mo to the world's richest person has an overinflated sense of importance... well... What're you gonna do?
Yep. Also claimed "it affects all GNU/Linux" while it only really does CUPS and so on.
Just alone full disclosure is a shit thing to do. Do not even mention the part where it was intended as a responsible disclosure.
Ya I was worried this was going to affect something like OpenWRT and a lot of shit was about to get fucked over. CUPS? 99.9% of people are gonna have that port closed on their router. Sure this is important to fix but a 9.9? Nah
So if Cups is properly sandboxes this is less of an issue? Still not good but not show stopping
I don't think this is 9.9 worthly
Good news, it's not a 9.9. https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities
Remember when printers were connected by a USB cable?
Also, sudo ss -tunlp to see what ports are listening on your system and which applications/services use them. (Linux)
ss -K closes dead ports
If you didn't explicitly open a port, ask why it needs to be open (listening). (25, 22, 67, 53,5353)
Make sure what you did open is opened at the right addresses. Ie localhost, 0.0.0.0, 127.0.0.1, etc for the purpose.
Use a firewall and block ALL incoming traffic.
Wasn't it supposedly affecting ALL Gnu/Linux PLUS others?
That's so weird that my GNU/Linux isn't affected by this vulnerability...
Next time that margarine is going to scream "wolf", I will take it with a grain of salt...
Source: https://nitter.poast.org/evilsocket/status/1838169889330135132
While I'm glad that there are people who do this work and certainly appreciate it. I also read his tweets and this person did seem to come off as a bit annoying. Like I get it. Security is important. However, things not moving as fast as you like is no reason to act like that.
Looks like a number of patches are landing in Ubuntu to address this: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/2082335
Update: CUPS Remote Code Execution Vulnerability Fix Available
Cups-browsed-eez nutz!
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0