OpenPrinting CUPS Path Traversal Vulnerability in RSS Notifier Allows Arbitrary File Overwrite

A path traversal vulnerability has been identified in OpenPrinting CUPS versions through 2.4.16, specifically within the RSS notifier's 'notify-recipient-uri' parameter. This vulnerability allows a remote IPP client to write RSS XML data to locations outside the designated CacheDir/rss directory, taking advantage of the fact that CacheDir is group-writable by default. The notifier, which operates under the 'lp' user, can overwrite root-managed state files by using a temporary file approach combined with renaming. Exploiting this vulnerability clobbers the CacheDir/job.cache file, causing the CUPS scheduler to fail in parsing the job cache and resulting in the loss of previously queued jobs.

Impact

Exploitation of this vulnerability leads to a path traversal that allows arbitrary file overwriting, specifically targeting files managed by the root user. This can cause significant integrity issues by corrupting essential CUPS state files, such as job.cache, which is crucial for managing print job queues. Additionally, there is a low availability impact, as the loss of job.cache data causes queued jobs to disappear, creating parse errors in the CUPS scheduler. A more severe denial-of-service could be achieved by repeatedly creating files to exhaust disk space or inodes.

Reproduction

The vulnerability can be reproduced by sending an IPP 'Print-Job' request that includes a subscription with a 'notify-recipient-uri' pointing to a crafted RSS URI that traverses out of the intended directory. This can be done using the 'ipptool' command-line utility, which is part of the CUPS distribution. After the job is processed, the CUPS job.cache file will be overwritten with RSS XML data, and upon restarting the CUPS daemon, the scheduler will encounter errors and fail to recognize previously queued jobs.