OpenPrinting CUPS Integer Underflow Vulnerability Leading to Denial-of-Service

An integer underflow vulnerability has been identified in OpenPrinting CUPS versions through 2.4.16. The issue arises in the `_ppdCreateFromIPP()` function within `cups/ppd-cache.c`, where the bounds check for the `job-password-supported` IPP attribute only limits the upper value. This flaw allows an unprivileged local user to send a negative integer, which is then improperly validated, cast to a size type, and used to overwrite memory beyond the bounds of a 33-byte stack buffer. The resulting segmentation fault crashes the `cupsd` process, which runs as root. With systemd's `Restart=on-failure` option, this crash can be exploited repeatedly, causing a sustained denial-of-service condition.

Impact

Exploitation of this vulnerability causes an immediate segmentation fault in the `cupsd` process, disrupting printing services system-wide. The process crash is followed by a systemd restart, allowing the denial-of-service condition to be maintained.

Reproduction

To reproduce this vulnerability, a local user must first set up a fake IPP printer on `localhost` that responds to the `Get-Printer-Attributes` request with a negative value for the `job-password-supported` attribute. Once this printer is established, the user can create a local printer through the CUPS interface that points to the fake printer. The CUPS service will then crash due to the integer underflow, and systemd will restart the service, allowing the process to be repeated.

Remediation

It is recommended to add a lower-bound check for the `maxlen` variable in the `_ppdCreateFromIPP()` function to prevent negative values from being accepted. Alternatively, the variable can be managed as an unsigned type to naturally avoid negative values.