Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Mar 2015 22:42:08 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        security@...le.com
Subject: CVE-2014-8166 cups: code execution via unescape ANSI escape sequences

So this one is pretty hard to cause exploitation without heavy social
engineering/etc.

https://bugzilla.redhat.com/show_bug.cgi?id=1084577

It was reported that ANSI escape sequences could be added to printer
names in CUPS.  Becaue CUPS has a browsing feature that, when enabled,
allows remote hosts to announce shared printers, a malicious host or
user could send a specially-crafted UDP packet to a CUPS server
announcing an arbitrary printer name that includes ANSI escape
sequences.  Since the CUPS daemon does not remove these characters, a
user on the targeted system could query the printer list (using 'lpstat
-a', for example).  If this were done in a terminal that supported the
ANSI escape sequences (like a terminal with support for color), then
code execution could be possible as the terminal would interpret the
ANSI escape sequences contained in the printer name.

A patch for this is available at
https://bugzilla.redhat.com/attachment.cgi?id=916761

My apologies, this issue has been sitting way to long and is certainly
not worth a long embargo.

I can't wait till I'm done cleaning house of all these embargoed issues
that shouldn't be embargoed. I strongly urge other vendors to do the same.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ