Re: CVE-2014-8166 cups: code execution via unescape ANSI escape sequences

[Florian Weimer <fw () deneb enyo de>]

* Kurt Seifried:

> So this one is pretty hard to cause exploitation without heavy social
> engineering/etc.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1084577
>
> It was reported that ANSI escape sequences could be added to printer
> names in CUPS.  Becaue CUPS has a browsing feature that, when enabled,
> allows remote hosts to announce shared printers, a malicious host or
> user could send a specially-crafted UDP packet to a CUPS server
> announcing an arbitrary printer name that includes ANSI escape
> sequences.  Since the CUPS daemon does not remove these characters, a
> user on the targeted system could query the printer list (using 'lpstat
> -a', for example).  If this were done in a terminal that supported the
> ANSI escape sequences (like a terminal with support for color), then
> code execution could be possible as the terminal would interpret the
> ANSI escape sequences contained in the printer name.

In the past, we treated those as security bugs in terminals, not bugs
in the application producing the data that triggers these bugs.