F43 Change Proposal: Foomatic-Rip rejects unknown values (self-contained)

Project Discussion Change Proposals
,
1

Foomatic-Rip rejects unknown values

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Announced
Wiki

:link: Summary

The filter foomatic-rip will reject any values of PPD options FoomaticRIPCommandLine, FoomaticRIPCommandLinePDF, and FoomaticRIPOptionSetting. Users are able to scan drivers of their installed printers by the tool foomatic-hash, which outputs a file which is used for allowing the found values for the filter.

:link: Owner

:link: Detailed Description

The filter foomatic-rip supports several PPD options which are used to construct a shell command, which is to be run in a new process. Those options are FoomaticRIPCommandLine, FoomaticRIPCommandLinePDF, and FoomaticRIPOptionSettings. This behavior was implemented around 20 years ago to help printer vendors or enthusiasts with writing printer drivers for Linux. Driver creators did not have to write a new filter which would apply requested changes into a filtered file, but wrote set of shell commands, Postscript code or Perl code which were applied to the print job before sending it to the printer.

However this approach is often the final goal of attackers, who exploit another security vulnerabilities in the printing stack to get users to install and use a malicious PPD file for their printer, which will contain crafted mentioned PPD options. Such issues are mitigated by foomatic-rip being run under user lp in the default configuration.

To prevent unintentional use of malicious foomatic-related PPD options, the filter won’t accept any values by default. As a way how to review and create an allowed list of safe values, the tool foomatic-hash is implemented.

The tool foomatic-hash scans a PPD file or a path with drivers defined on its command line and outputs two files - one with found values for users to review, and the other with the found values hashed and ready to be copied into directories where foomatic-rip reads them.

In new Fedora 43 installations users are expected to run foomatic-hash tool, review the scan findings and allow the found values by moving the file with hashes into the directory /etc/foomatic/hashes.d.

:link: Feedback

  1. Will we allow every foomatic-related PPD options values which are already in Fedora?

Since foomatic-rip is mostly used with older printers or with printers which have another support alternative (like AirPrint), and there are many such older drivers for printers which are now not used often, there would be many values to review for printing stack maintainers in comparison to additional value it gains for Fedora. However the package cups-filters provides a directory which is read by foomatic-rip in case a printer driver wants to review and ship allowed hashes. The directory /usr/share/foomatic/hashes.d is present for this purpose and developers can install their files with allowed hashes into this directory.

  1. Will the previously installed print queue be working after upgrade?

Based on this feedback the proposal owner will implement a RPM scriptlet which will allow values from installed printers, which were installed in the previous Fedora version. A message will be generated during DNF upgrade if there are print queues with such drivers, and direct user to foomatic-rip man page.

  1. Is it possible to sanitize the values instead of introducing reject/allow mechanism?

Unfortunately this is not possible due functionality of those options. They were meant to construct a shell command, so we cannot forbid interpreter calls or remove/escape special characters since it would break the correct shell command.

:link: Benefit to Fedora

The change improves Fedora security while leaving a way for users who depend on the driver with the filter foomatic-rip to allow their drivers.

:link: Scope

  • Proposal owners:

Proposal owner will apply the upstream patch implementing the issue, and test upgrade path.

  • Other developers:

(optional) Printer driver maintainers might scan drivers provided by their package, review the findings and if there is no discrepancies, ship the file with hashed values at directory /usr/share/foomatic/hashes.d.

  • Release engineering: N/A

  • Policies and guidelines: N/A (not needed for this Change)

  • Trademark approval: N/A (not needed for this Change)

  • Alignment with the Fedora Strategy:

:link: Upgrade/compatibility impact

Upgrade from Fedora 42 to Fedora 43 will allow the values of already installed printers to maintain functionality, but users are expected to review the file with found values. The file with findings will be present in the directory /var/tmp in the file with prefix foomatic-scan.

:link: How To Test

How to find out if drivers with foomatic-rip are used with the currently installed printers:

$ sudo grep -Rn ‘FoomaticRIPCommandLine|FoomaticRIPCommandLinePDF|FoomaticRIPOptionSetting’ /etc/cups/ppd /etc/cups/ppd/ricoh.ppd:52:*FoomaticRIPCommandLine: "printf "%%!PS-Adobe-3.0 /etc/cups/ppd/ricoh.ppd:759:*RIPostScript IRIPS/PostScript Emulation: “%% FoomaticRIPOptionSetting: RIPostScript=IRIPS” /etc/cups/ppd/ricoh.ppd:760:*FoomaticRIPOptionSetting RIPostScript=IRIPS: "/isGenuine{\n&& 


In the example, the print queue called ricoh uses the affected PPD options.

If its values are not allowed, the following situation will happen:

$ lp -d ricoh /etc/fstab $ journalctl -u cups -r 
 Job stopped due to filter errors; please consult the syslog file for details. 


If CUPS debug logs are enabled, there is a specific message in the journal:

$ journalctl -u cups -r 
 Process is dying with "ERROR: The value of the key FoomaticRIPCommandLine is not among the allowed values - see foomatic-rip man page for more instructions. 


User is expected to run foomatic-hash, to review the scan result in file_to_review, and if the found values do not look malicious or the user accepts them, to copy them into the directory /etc/foomatic/hashes.d:

$ sudo foomatic-hash --ppd-paths /etc/cups/ppd file_to_review local_hashes $ sudo cp local_hashes /etc/foomatic/hashes.h $ lp -d ricoh /etc/fstab (Print job succeeds)

:link: User Experience

Users with new Fedora 43 installations will have to allow FoomaticRip values their drivers use after printer installation.

Steps:

$ sudo foomatic-hash --ppd-paths /etc/cups/ppd file_to_review local_hashes $ sudo cp local_hashes /etc/foomatic/hashes.h

Users who upgrade to Fedora 43 are expected to review the found values from their installed printers after upgrade - the file with findings will be present in the directory /var/tmp in the file with prefix foomatic-scan.

In case a malicious or a suspicious value is found, users can find the driver with the value in the directory /etc/cups/ppd. There the driver file is called <printer_name>.ppd, where <printer_name> is the name of a specific printer user has installed. Users are encouraged to reinstall the printer with a different compatible driver or delete such printer.

:link: Dependencies

(optional) Printer driver packages which use foomatic-rip - e.g. hplip, foomatic-db, ptouch-driver, foo2zjs - in case their maintainers are willing to scan their drivers, review findings and ship the hashes in Fedora.

:link: Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) The upstream patch won’t be applied in cups-filters
  • Contingency deadline: Beta Freeze
  • Blocks release? No

:link: Documentation

N/A (not a System Wide Change)

:link: Release Notes

Foomatic-Rip filter rejects values of PPD options FoomaticRipCommandLine, FoomaticRipCommandLinePDF, and FoomaticRipOptionSetting which are not allowed in configuration on new Fedora installations by default. Users are expected to run the tool foomatic-hash, review its findings and if they approve the findings are not malicious, allow the values by moving the file with hashes into /etc/foomatic/hashes.d. See man foomatic-rip and man foomatic-hash for more info.

Last edited by @amoloney 2025-07-24T17:01:20Z

Last edited by @amoloney 2025-07-24T17:01:20Z

2

How do you feel about the proposal as written?

  • Strongly in favor
  • In favor, with reservations
  • Neutral
  • Opposed, but could be convinced
  • Strongly opposed
0 voters

If you are in favor but have reservations, or are opposed but something could change your mind, please explain in a reply.

We want everyone to be heard, but many posts repeating the same thing actually makes that harder. If you have something new to say, please say it. If, instead, you find someone has already covered what you’d like to express, please simply give that post a :heart: instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.

Please note that this is an advisory “straw poll” meant to gauge sentiment. It isn’t a vote or a scientific survey. See About the Change Proposals category for more about the Change Process and moderation policy.

3

Can the foomatic-hash utility (alone, without the functionality to consume its results) be packaged and released for Fedora 42, so that users have the option to preemptively generate and install an allowlist for their printer drivers’ foomatic-rip values before upgrading, if they so choose?

That seems like a potentially more seamless approach to migration into the new filter security model. Some users may wish to take advantage of the ability to configure things ahead of time, rather than having to plan for printer downtime immediately after an upgrade. (Until such time as someone gets around to completing the “post-upgrade homework” of reviewing and installing the allowlist, which may get lost in the flurry of post-upgrade tasks some installations have to deal with.)

4

Hi Frank!

Certainly I can do such a thing, it is not an issue, but it looks like I did not explain the other part properly. There won’t be a printer downtime for already installed foomatic-rip printers in case of upgrade to Fedora 43.

In such case, %posttrans scriptlet will scan /etc/cups/ppd and automatically allow values from the installed printer PPDs. Users are expected to review the findings of the script which are reported during upgrade, but there won’t be a functional regression for printers installed before F43.

But you are correct, users probably miss such messages during upgrades and don’t check the logs afterwards, so allowing to run foomatic-hash beforehand is certainly a boon.

So WDYT?

IMO I can do the following - have the upgrade scriptlet working as it is to prevent functional regression and backport foomatic-hash to stable Fedora releases F41+ for users to prepare environment beforehand.

Sounds okay?

Thank you in advance and have a nice day!

Zdenek

5

This will not work on Bootable Containers / Atomic Desktops. Can you make this a systemd service unit instead that would be run on boot (for image mode systems) or triggered as part of the transaction (for package mode systems)?

6

Hi,

certainly I can do my best - do you an example of package which uses such systemd service for doing upgrade tasks? I always heard about them, never saw any in the wilderness.

Thank you in advance!

Zdenek