Re: cups RCE...
-
Re: cups RCE...
1. There's like a hundred packages linked to cups in Fedora Linux. This is why we unbundle libraries even though that's often a pain in the ass.
2. Also, good example of why not to put random IoT devices on the same network as your actual stuff.
-
@mattdm yeah. But also, join Starbucks WiFi, get implant that runs next time you try to print. 🤮 At least (I assume) that SELinux keeps this pretty contained.
-
I hope most public wifi by now isolates each device from the others.
-
Demi Marie Obenourreplied to Matthew Miller last edited by
@mattdm This is squarely CUPS’s problem.
cups-browsed
should not be running by default, which is hopefully the case on Fedora. Securing printers is still something I have no clue how to do, sadly. -
Matthew Millerreplied to Demi Marie Obenour last edited by
cups-browsed is not on by default, but avahi is, which may provide another route to compromise.
-
Demi Marie Obenourreplied to Matthew Miller last edited by
@mattdm Why is Avahi running by default? Other than CUPS, what needs it?
-
Matthew Millerreplied to Demi Marie Obenour last edited by
Needs it? CUPS doesn't _need_ it, it's just a big boost for user experience. But lots of things _can_ use zeroconf -- speakers, media streaming, fileshares, even .local hostnames. You don't _need_ those either, but they're nice.