Date: Mon, 23 Mar 2015 22:42:08 -0600 From: Kurt Seifried <kseifried@...hat.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, security@...le.com Subject: CVE-2014-8166 cups: code execution via unescape ANSI escape sequences So this one is pretty hard to cause exploitation without heavy social engineering/etc. https://bugzilla.redhat.com/show_bug.cgi?id=1084577 It was reported that ANSI escape sequences could be added to printer names in CUPS. Becaue CUPS has a browsing feature that, when enabled, allows remote hosts to announce shared printers, a malicious host or user could send a specially-crafted UDP packet to a CUPS server announcing an arbitrary printer name that includes ANSI escape sequences. Since the CUPS daemon does not remove these characters, a user on the targeted system could query the printer list (using 'lpstat -a', for example). If this were done in a terminal that supported the ANSI escape sequences (like a terminal with support for color), then code execution could be possible as the terminal would interpret the ANSI escape sequences contained in the printer name. A patch for this is available at https://bugzilla.redhat.com/attachment.cgi?id=916761 My apologies, this issue has been sitting way to long and is certainly not worth a long embargo. I can't wait till I'm done cleaning house of all these embargoed issues that shouldn't be embargoed. I strongly urge other vendors to do the same. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ