Just run every printer service through a dedicated lightweight VM that redirects printer IO into a safer network service. No matter how much damage they do the VM with the scripts they provide it’s still just a VM. They can have their cake and eat it without risking user safety.
I’m gonna look around and see if I can present this directly to the CUPS devs but I believe manjaro devs would get there faster than I would.
Thats entirely unecessary.
You could
Among some other things.
It may be worth noting that at least two of the associated CVEs can be remediated by recent packages.
I don’t have it installed in the 1st place, but the other libs came pre-installed with the XFCE variant of manjaro as far as I’m aware because I saw them while I was checking against the listed libs that are supposedly vulnerable to the attack. I’ve also blocked UDP port 631 anyways and even added /etc/cups/cups-browsed.conf to deal with it. I’m leaving foomatic-rip in case I decide to manually install a printer that happens to use it (for hobby dev purposes). In any case a lightweight VM for each printer would introduce barely any latency and in normal circumstances only a small amount of extra memory would be in use.
Edit: btw I’ve found where to post it so don’t worry about it anymore:
For ent/smb environments that would certainly be a an solution.
For private users using a firewall to block 631 for incoming trafic is a solution - that is - if the printer is not shared.
Also keeping in mind that 99% of home users is behind a NAT so nothing is open to the internet.
I don’t know how important the foomatic printer data is - so one could simply remove that package - test if the printer works - if it does great - you have just removed the most vulnerable part of the equation.
The vast majority of private users will not be exposed to this unless they expose their laptop on the local cafè network - in that case - a firewall can be used
sudo pacman -Syu firewalld
sudo systemctl enable --now firewalld
sudo firewall-cmd --set-default-zone drop
If it can exist in a network then it doesn’t matter if it’s in a cafe or at home, all it takes is for a crook to figure out how to hack their router without being caught then pass through their fake printer via the router. That’s the other reason why this CVE deserves it’s rating of 9.9, I would hazard a guess the reason it didn’t get a 10 is because it’s not malicious design, just ill thought out design.
If someone takes control of your router you would have much bigger issues that this CUPS vulnerability.
EDIT: In my personal opinion, the threat from this has been blown out of all proportion. How many devices have cups-browsed installed and are also either directly connected to the internet with port 631 open to incoming unsolicited traffic from the WAN?
Not many, I would say.
True but that doesn’t mean one should ignore the worst case scenario just because of as lightly better scenario. If a hacker gets control of the router then assuming they can’t get utilise this or a similar method of gaining control of the user’s computer then the worst case scenario there is that they have to wait to snoop on what you send & receive. During which you could notice the router’s been hacked (even if that’s unlikely it’s still possible) and disconnect it from the computer, the internet and the power supply. After it’s ram and other temporary memory have cleared you can reboot it to do a factory reset or wipe the drive and reinstall the system it had. In such scenario the attacker would not have been able to search your computer for the data they wanted and thus the absolute worst case scenario would’ve been barely avoided.
So instead of running a firewall, instead of simply removing the scary package, instead of just disabling bad auto-add-printer features … your suggestion is that the distro adopts some sort of ‘virtual machine for every printer’ solution?
It just … makes no sense to me.
well it’s a muute point now because the devs have said cups is already moving to containers, not sure if that means the same thing as a vm but it should achieve close to the same affect if it’s not. The point is that you can’ t get rid of the support of scripting if you’re to support old printers so the workaround is to just make sure an attacker has no way to break into root &/or kernel to steal info they shouldn’t be able to steal (or lock the computer for a ransom).