Bug 1084577 (CVE-2014-8166) - CVE-2014-8166 cups: code execution via unescape ANSI escape sequences
Summary: CVE-2014-8166 cups: code execution via unescape ANSI escape sequences
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-8166
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1084580
TreeView+ depends on / blocked
 
Reported: 2014-04-04 18:29 UTC by Vincent Danen
Modified: 2019-09-29 13:15 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the CUPS daemon added shared printers announced through the network. A malicious host or user could send a specially crafted UDP packet to a CUPS server that, when processed, could potentially lead to arbitrary code execution with the privileges of the user running the CUPS daemon.
Clone Of:
Environment:
Last Closed: 2015-04-14 10:53:32 UTC


Attachments (Terms of Use)
untested patch (4.72 KB, patch)
2014-07-09 12:41 UTC, Tim Waugh
no flags Details | Diff

Description Vincent Danen 2014-04-04 18:29:32 UTC
It was reported that ANSI escape sequences could be added to printer names in CUPS.  Becaue CUPS has a browsing feature that, when enabled, allows remote hosts to announce shared printers, a malicious host or user could send a specially-crafted UDP packet to a CUPS server announcing an arbitrary printer name that includes ANSI escape sequences.  Since the CUPS daemon does not remove these characters, a user on the targeted system could query the printer list (using 'lpstat -a', for example).  If this were done in a terminal that supported the ANSI escape sequences (like a terminal with support for color), then code execution could be possible as the terminal would interpret the ANSI escape sequences contained in the printer name.

Comment 4 Tim Waugh 2014-07-09 12:41:35 UTC
Created attachment 916761 [details]
untested patch

Comment 5 Jiri Popelka 2014-07-10 11:38:14 UTC
(In reply to Tim Waugh from comment #4)
> Created attachment 916761 [details]
> untested patch

I tested it and it works for me.

Comment 6 Shlomi Fish 2015-03-29 07:17:52 UTC
Hi all,

I was referred to this bug from https://bugs.mageia.org/show_bug.cgi?id=15562 .

(In reply to Jiri Popelka from comment #5)
> (In reply to Tim Waugh from comment #4)
> > Created attachment 916761 [details]
> > untested patch
> 
> I tested it and it works for me.

Which version of the Fedora/Red Hat CUPS package is this patch for? It does not seem to apply cleanly against the one from RawHide:

<<<
shlomif@telaviv1:~/progs/Rpms$ cd BUILD/cups-2.0.2/
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ ls
autom4te.cache       CHANGES.txt              desktop           man
backend              conf                     doc               monitor
berkeley             config.h.in              examples          notifier
cgi-bin              config.h.in.lspp         filter            packaging
CHANGES-1.0.txt      config-scripts           install-sh        ppdc
CHANGES-1.1.txt      configure                INSTALL.txt       README.txt
CHANGES-1.2.txt      configure.ac             IPPTOOL.txt       scheduler
CHANGES-1.3.txt      configure.ac.lspp        LICENSE.txt       systemv
CHANGES-1.4.txt      CREDITS.txt              locale            templates
CHANGES-1.5.txt      cups                     Makedefs.in       test
CHANGES-1.6.txt      cups-config.in           Makedefs.in.0755  vcnet
CHANGES-1.7.txt      cups-config.in.multilib  Makedefs.in.lspp  xcode
CHANGES-IPPTOOL.txt  data                     Makefile
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r process_browse .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'Resource FQDN' .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'hptr' .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ 
>>>

(all these identifiers appear in the scheduler/dirsvc.c portion of the patch).

Please enlighten me.

Regards,

-- Shlomi Fish

Comment 7 Tim Waugh 2015-03-31 11:43:05 UTC
It's for RHEL-6. That functionality was removed in CUPS 1.6.

Comment 8 Shlomi Fish 2015-03-31 12:00:18 UTC
(In reply to Tim Waugh from comment #7)
> It's for RHEL-6. That functionality was removed in CUPS 1.6.

‎‎‎Thanks for the insight! I'll update the Mageia bug.


Note You need to log in before you can comment on or make changes to this bug.