CVE-2017-18248

Published: 26 March 2018

The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification.

Priority

CVSS 3 base score: 5.3

Status

Package	Release	Status
cups Launchpad, Ubuntu, Debian	artful	Released (2.2.4-7ubuntu3.1)
	bionic	Not vulnerable (2.2.6-5)
	precise	Does not exist
	trusty	Does not exist (trusty was released [1.7.2-0ubuntu1.10])
	upstream	Released (2.2.6-1)
	xenial	Released (2.1.3-4ubuntu0.5)
	Patches: upstream: https://github.com/apple/cups/commit/49fa4983f25b64ec29d548ffa3b9782426007df3

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18248
https://github.com/apple/cups/releases/tag/v2.2.6
https://security.cucumberlinux.com/security/details.php?id=346
https://ubuntu.com/security/notices/USN-3713-1
NVD
Launchpad
Debian

Bugs

https://github.com/apple/cups/issues/5143

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›