CVE-2014-8166 cups: code execution via unescape ANSI escape sequences

[Kurt Seifried <kseifried () redhat com>]

So this one is pretty hard to cause exploitation without heavy social
engineering/etc.

https://bugzilla.redhat.com/show_bug.cgi?id=1084577

It was reported that ANSI escape sequences could be added to printer
names in CUPS.  Becaue CUPS has a browsing feature that, when enabled,
allows remote hosts to announce shared printers, a malicious host or
user could send a specially-crafted UDP packet to a CUPS server
announcing an arbitrary printer name that includes ANSI escape
sequences.  Since the CUPS daemon does not remove these characters, a
user on the targeted system could query the printer list (using 'lpstat
-a', for example).  If this were done in a terminal that supported the
ANSI escape sequences (like a terminal with support for color), then
code execution could be possible as the terminal would interpret the
ANSI escape sequences contained in the printer name.

A patch for this is available at
https://bugzilla.redhat.com/attachment.cgi?id=916761

My apologies, this issue has been sitting way to long and is certainly
not worth a long embargo.

I can't wait till I'm done cleaning house of all these embargoed issues
that shouldn't be embargoed. I strongly urge other vendors to do the same.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature