Hello, considering the recent CUPS CVE (CUPS Remote Code Execution Vulnerability Fix Available | Ubuntu) I would like to know if using the snap version of CUPS would have helped mitigate this problem.
The vulnerability that is described is a remote code execution (RCE) as the lp user.
I haven’t personally checked the behavior of the CUPS snap, but in principle it should have all the same functionality of the CUPS native packages in terms of supporting network printer auto discovery; and the chain of vulnerabilities described would still be expected to apply to CUPS code running in a snap vs. unconfined.
I think it’s therefore quite likely that executing this attack against a CUPS snap built from the affected versions of the CUPS packages would also result in remote code execution.
However, in both cases, the code being executed would be run in an unprivileged context: in one case as the lp user on the host, in the other case as a dedicated user in the snap containerization/confinement environment. The attack as described does not grant the attacker the ability to execute code as root, or as the login user.
The attack COULD be chained to an additional vulnerability, not specified here, to escalate privileges. Then, the question of whether CUPS as a snap would protect against this privilege escalation would depend on the specifics of that additional vulnerability.
1 Like
Thank you very much for your explanation