Candidate: CVE-2017-15400
PublicDate: 2018-02-07 23:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15400
 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-chrome-os_27.html
Description:
 Insufficient restriction of IPP filters in CUPS in Google Chrome OS prior
 to 62.0.3202.74 allowed a remote attacker to execute a command with the
 same privileges as the cups daemon via a crafted PPD file, aka a printer
 zeroconfig CRLF issue.
Ubuntu-Description:
Notes:
 mdeslaur> chromium bug mentions crlf injection
 mdeslaur> code introduced in 2.2.0
Bugs:
 https://bugs.chromium.org/p/chromium/issues/detail?id=777215
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_cups:
 upstream: https://github.com/apple/cups/commit/07428f6a640ff93aa0b4cc69ca372e2cf8490e41
 upstream: https://github.com/apple/cups/commit/1add23375658e9163e5493ee19de7c9f7a9b483b
upstream_cups: released (2.2.2)
precise/esm_cups: DNE
trusty_cups: not-affected (code not present)
trusty/esm_cups: DNE (trusty was not-affected [code not present])
xenial_cups: not-affected (code not present)
esm-infra/xenial_cups: not-affected (code not present)
artful_cups: not-affected (2.2.4-7ubuntu3)
bionic_cups: not-affected (2.2.6-5)
devel_cups: not-affected (2.2.6-5)