oss-sec mailing list archives
CVE-2014-8166 cups: code execution via unescape ANSI escape sequences
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 23 Mar 2015 22:42:08 -0600
So this one is pretty hard to cause exploitation without heavy social engineering/etc. https://bugzilla.redhat.com/show_bug.cgi?id=1084577 It was reported that ANSI escape sequences could be added to printer names in CUPS. Becaue CUPS has a browsing feature that, when enabled, allows remote hosts to announce shared printers, a malicious host or user could send a specially-crafted UDP packet to a CUPS server announcing an arbitrary printer name that includes ANSI escape sequences. Since the CUPS daemon does not remove these characters, a user on the targeted system could query the printer list (using 'lpstat -a', for example). If this were done in a terminal that supported the ANSI escape sequences (like a terminal with support for color), then code execution could be possible as the terminal would interpret the ANSI escape sequences contained in the printer name. A patch for this is available at https://bugzilla.redhat.com/attachment.cgi?id=916761 My apologies, this issue has been sitting way to long and is certainly not worth a long embargo. I can't wait till I'm done cleaning house of all these embargoed issues that shouldn't be embargoed. I strongly urge other vendors to do the same. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2014-8166 cups: code execution via unescape ANSI escape sequences Kurt Seifried (Mar 23)
- Re: CVE-2014-8166 cups: code execution via unescape ANSI escape sequences Dave Horsfall (Mar 23)
- Re: CVE-2014-8166 cups: code execution via unescape ANSI escape sequences Florian Weimer (Mar 24)