SB2026040206 - Multiple vulnerabilities in OpenPrinting cups

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2026-34978)

The vulnerability allows a remote attacker to overwrite arbitrary files within the CUPS CacheDir, including critical state files such as job.cache.

The vulnerability exists due to improper path validation in the RSS notifier component when processing attacker-controlled notify-recipient-uri values in IPP subscription requests. A remote attacker can send a specially crafted IPP request with a notify-recipient-uri containing directory traversal sequences (e.g., "rss:///../job.cache") to overwrite files outside the intended CacheDir/rss directory, leading to integrity and availability impacts.

The vulnerability specifically affects systems where the RSS notifier is enabled and untrusted clients can submit IPP Print-Job or Create-Printer-Subscription requests with subscription attributes. The default configuration with group-writable CacheDir (root:lp, 0770) enables overwriting of root-managed files via atomic rename operations performed by the lp-running notifier.

2) Incorrect authorization (CVE-ID: CVE-2026-27447)

The vulnerability allows a remote user to gain unauthorized access to restricted operations.

The vulnerability exists due to improper access control in the CUPS daemon (cupsd) when performing authorization checks. A remote privileged user can exploit case-insensitive username comparison during group-member lookup to gain unauthorized access to restricted operations.

User interaction is required to exploit this vulnerability.

3) Improper input validation (CVE-ID: CVE-2026-34980)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation in CUPS PostScript queue processing when handling Print-Job requests with crafted page-border attributes. A remote attacker can send a specially crafted Print-Job request containing a newline-injected page-border value to cause a PPD configuration injection, leading to arbitrary filter execution as the lp user.

The affected system must have a shared PostScript queue enabled and be exposed to the network. The attacker does not require authentication or prior privileges.

4) Heap-based buffer overflow (CVE-ID: CVE-2026-34979)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the CUPS scheduler when processing IPP job attributes. A remote attacker can send a specially crafted IPP request with large URI attributes to trigger a heap-based buffer overflow in the `get_options()` function, leading to memory corruption and a crash of the `cupsd` service.

The vulnerability specifically arises because the size calculation for the options string uses `ipp_length()`, which excludes URI attributes, but the serialization process still writes URI attributes such as `job-uuid` and `job-authorization-uri` without bounds checking.

5) Improper input validation (CVE-ID: CVE-2026-34990)

The vulnerability allows a local user to execute arbitrary code with root privileges.

The vulnerability exists due to improper access control in CUPS when processing IPP requests for creating local printers. A local user can send a specially crafted IPP request to create a temporary printer with a file:// URI and then promote it to a shared printer, bypassing device restrictions and causing the system to write arbitrary files as root. This can lead to arbitrary code execution with root privileges.

The attacker must have the ability to send requests to localhost:631 and bind to a local port. The attack involves a race condition during printer validation, which may require multiple attempts to succeed.

Remediation

Install update from vendor's website.

References

• https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr
• https://github.com/OpenPrinting/cups/security/advisories/GHSA-v987-m8hp-phj9
• https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf
• https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh
• https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp