Date: Mon, 23 Mar 2015 22:42:08 -0600 From: Kurt Seifried <kseifried@...hat.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, security@...le.com Subject: CVE-2014-8166 cups: code execution via unescape ANSI escape sequences So this one is pretty hard to cause exploitation without heavy social engineering/etc. https://bugzilla.redhat.com/show_bug.cgi?id=1084577 It was reported that ANSI escape sequences could be added to printer names in CUPS. Becaue CUPS has a browsing feature that, when enabled, allows remote hosts to announce shared printers, a malicious host or user could send a specially-crafted UDP packet to a CUPS server announcing an arbitrary printer name that includes ANSI escape sequences. Since the CUPS daemon does not remove these characters, a user on the targeted system could query the printer list (using 'lpstat -a', for example). If this were done in a terminal that supported the ANSI escape sequences (like a terminal with support for color), then code execution could be possible as the terminal would interpret the ANSI escape sequences contained in the printer name. A patch for this is available at https://bugzilla.redhat.com/attachment.cgi?id=916761 My apologies, this issue has been sitting way to long and is certainly not worth a long embargo. I can't wait till I'm done cleaning house of all these embargoed issues that shouldn't be embargoed. I strongly urge other vendors to do the same. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.