CVE-2023-24805: 
NixOS vulnerability analysis and mitigation

CVE-2023-24805 affects cups-filters, a package containing backends, filters, and other software required for CUPS printing service on non-macOS operating systems. The vulnerability was discovered in May 2023 and affects the Backend Error Handler (beh) component when used to create an accessible network printer (NVD, GitHub Advisory).

The vulnerability exists in the beh.c file where the system command is called with user-controlled, unsanitized values. The issue stems from the line retval = system(cmdline) >> 8 where cmdline contains multiple unsanitized user inputs. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

An attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. This allows for remote code execution with the privileges of the CUPS service (NVD, GitHub Advisory).

The issue has been addressed in commit 8f274035 by replacing the system() call with execv() and implementing additional input sanitization checks. Users are advised to upgrade to patched versions when available and restrict access to network printers in the meantime. Multiple distributions have released security updates including Debian, Red Hat, and Fedora (Debian Advisory, Red Hat Advisory).