Vulnerability CVE-2023-4504: Information

Description

Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.

Severity: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-4504

Published: Sept. 22, 2023

Modified: Nov. 9, 2023

Error type identifier: CWE-787

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
cups	sisyphus	2.4.7-alt1	2.4.8-alt1	ALT-PU-2023-5990-2	330606	Fixed
cups	sisyphus_e2k	2.4.7-alt1	2.4.8-alt1	ALT-PU-2023-6047-1	-	Fixed
cups	sisyphus_riscv64	2.4.7-alt1	2.4.8-alt1	ALT-PU-2023-6064-1	-	Fixed
cups	p10	2.4.7-alt2	2.4.7-alt2	ALT-PU-2023-6721-2	333093	Fixed
cups	p10_e2k	2.4.7-alt2	2.4.7-alt2	ALT-PU-2023-7157-1	-	Fixed
cups	c10f1	2.4.7-alt2	2.4.7-alt2	ALT-PU-2024-4621-3	343721	Fixed
cups	c9f2	2.4.7-alt1	2.4.7-alt1	ALT-PU-2023-6178-3	331117	Fixed
libppd	sisyphus	2.0.0-alt1	2.0.0-alt1	ALT-PU-2023-5988-2	330587	Fixed
libppd	sisyphus_e2k	2.0.0-alt1	2.0.0-alt1	ALT-PU-2023-6037-1	-	Fixed
libppd	sisyphus_riscv64	2.0.0-alt1	2.0.0-alt1	ALT-PU-2023-6062-1	-	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://github.com/OpenPrinting/libppd/security/advisories/GHSA-4f65-6ph5-qwh6	Exploit Vendor Advisory
https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h	Exploit Vendor Advisory
https://takeonme.org/cves/CVE-2023-4504.html	Exploit
https://github.com/OpenPrinting/cups/releases/tag/v2.4.7	Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WVS4I7JG3LISFPKTM6ADKJXXEPEEWBQ/	Mailing List Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WHEJIYMMAIXU2EC35MGTB5LGGO2FFJE/	Mailing List Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AMYDKIE4PSJDEMC5OWNFCDMHFGLJ57XG/	Mailing List Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2GSPQAFK2Z6L57TRXEKZDF42K2EVBH7/	Mailing List Release Notes
https://lists.debian.org/debian-lts-announce/2023/09/msg00041.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXPVADB56NMLJWG4IZ3OZBNJ2ZOLPQJ6/	Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*
  End excliding
  2.4.7
  cpe:2.3:a:openprinting:libppd:2.0:rc2:*:*:*:linux:*:*
  
  Configuration 2
  cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Version: v24.5.1

Vulnerability CVE-2023-4504: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3