Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 24 Mar 2015 13:43:41 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-8166 cups: code execution via unescape ANSI escape sequences

* Kurt Seifried:

> So this one is pretty hard to cause exploitation without heavy social
> engineering/etc.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1084577
>
> It was reported that ANSI escape sequences could be added to printer
> names in CUPS.  Becaue CUPS has a browsing feature that, when enabled,
> allows remote hosts to announce shared printers, a malicious host or
> user could send a specially-crafted UDP packet to a CUPS server
> announcing an arbitrary printer name that includes ANSI escape
> sequences.  Since the CUPS daemon does not remove these characters, a
> user on the targeted system could query the printer list (using 'lpstat
> -a', for example).  If this were done in a terminal that supported the
> ANSI escape sequences (like a terminal with support for color), then
> code execution could be possible as the terminal would interpret the
> ANSI escape sequences contained in the printer name.

In the past, we treated those as security bugs in terminals, not bugs
in the application producing the data that triggers these bugs.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.