Bug 1084577 (CVE-2014-8166)

Summary: CVE-2014-8166 cups: code execution via unescape ANSI escape sequences
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, falonso, fweimer, jkurik, jpopelka, jrusnack, matthias.flege, pfrields, security-response-team, shlomif, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the CUPS daemon added shared printers announced through the network. A malicious host or user could send a specially crafted UDP packet to a CUPS server that, when processed, could potentially lead to arbitrary code execution with the privileges of the user running the CUPS daemon.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-14 10:53:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1084580    
Description Flags
untested patch none

Description Vincent Danen 2014-04-04 18:29:32 UTC
It was reported that ANSI escape sequences could be added to printer names in CUPS.  Becaue CUPS has a browsing feature that, when enabled, allows remote hosts to announce shared printers, a malicious host or user could send a specially-crafted UDP packet to a CUPS server announcing an arbitrary printer name that includes ANSI escape sequences.  Since the CUPS daemon does not remove these characters, a user on the targeted system could query the printer list (using 'lpstat -a', for example).  If this were done in a terminal that supported the ANSI escape sequences (like a terminal with support for color), then code execution could be possible as the terminal would interpret the ANSI escape sequences contained in the printer name.

Comment 4 Tim Waugh 2014-07-09 12:41:35 UTC
Created attachment 916761 [details]
untested patch

Comment 5 Jiri Popelka 2014-07-10 11:38:14 UTC
(In reply to Tim Waugh from comment #4)
> Created attachment 916761 [details]
> untested patch

I tested it and it works for me.

Comment 6 Shlomi Fish 2015-03-29 07:17:52 UTC
Hi all,

I was referred to this bug from https://bugs.mageia.org/show_bug.cgi?id=15562 .

(In reply to Jiri Popelka from comment #5)
> (In reply to Tim Waugh from comment #4)
> > Created attachment 916761 [details]
> > untested patch
> I tested it and it works for me.

Which version of the Fedora/Red Hat CUPS package is this patch for? It does not seem to apply cleanly against the one from RawHide:

shlomif@telaviv1:~/progs/Rpms$ cd BUILD/cups-2.0.2/
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ ls
autom4te.cache       CHANGES.txt              desktop           man
backend              conf                     doc               monitor
berkeley             config.h.in              examples          notifier
cgi-bin              config.h.in.lspp         filter            packaging
CHANGES-1.0.txt      config-scripts           install-sh        ppdc
CHANGES-1.1.txt      configure                INSTALL.txt       README.txt
CHANGES-1.2.txt      configure.ac             IPPTOOL.txt       scheduler
CHANGES-1.3.txt      configure.ac.lspp        LICENSE.txt       systemv
CHANGES-1.4.txt      CREDITS.txt              locale            templates
CHANGES-1.5.txt      cups                     Makedefs.in       test
CHANGES-1.6.txt      cups-config.in           Makedefs.in.0755  vcnet
CHANGES-1.7.txt      cups-config.in.multilib  Makedefs.in.lspp  xcode
CHANGES-IPPTOOL.txt  data                     Makefile
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r process_browse .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'Resource FQDN' .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'hptr' .

(all these identifiers appear in the scheduler/dirsvc.c portion of the patch).

Please enlighten me.


-- Shlomi Fish

Comment 7 Tim Waugh 2015-03-31 11:43:05 UTC
It's for RHEL-6. That functionality was removed in CUPS 1.6.

Comment 8 Shlomi Fish 2015-03-31 12:00:18 UTC
(In reply to Tim Waugh from comment #7)
> It's for RHEL-6. That functionality was removed in CUPS 1.6.

‎‎‎Thanks for the insight! I'll update the Mageia bug.