A flaw was found in the way the CUPS daemon added shared printers announced through the network. A malicious host or user could send a specially crafted UDP packet to a CUPS server that, when processed, could potentially lead to arbitrary code execution with the privileges of the user running the CUPS daemon.
It was reported that ANSI escape sequences could be added to printer names in CUPS. Becaue CUPS has a browsing feature that, when enabled, allows remote hosts to announce shared printers, a malicious host or user could send a specially-crafted UDP packet to a CUPS server announcing an arbitrary printer name that includes ANSI escape sequences. Since the CUPS daemon does not remove these characters, a user on the targeted system could query the printer list (using 'lpstat -a', for example). If this were done in a terminal that supported the ANSI escape sequences (like a terminal with support for color), then code execution could be possible as the terminal would interpret the ANSI escape sequences contained in the printer name.
Created attachment 916761 [details]
(In reply to Tim Waugh from comment #4)
> Created attachment 916761 [details]
> untested patch
I tested it and it works for me.
I was referred to this bug from https://bugs.mageia.org/show_bug.cgi?id=15562 .
(In reply to Jiri Popelka from comment #5)
> (In reply to Tim Waugh from comment #4)
> > Created attachment 916761 [details]
> > untested patch
> I tested it and it works for me.
Which version of the Fedora/Red Hat CUPS package is this patch for? It does not seem to apply cleanly against the one from RawHide:
shlomif@telaviv1:~/progs/Rpms$ cd BUILD/cups-2.0.2/
autom4te.cache CHANGES.txt desktop man
backend conf doc monitor
berkeley config.h.in examples notifier
cgi-bin config.h.in.lspp filter packaging
CHANGES-1.0.txt config-scripts install-sh ppdc
CHANGES-1.1.txt configure INSTALL.txt README.txt
CHANGES-1.2.txt configure.ac IPPTOOL.txt scheduler
CHANGES-1.3.txt configure.ac.lspp LICENSE.txt systemv
CHANGES-1.4.txt CREDITS.txt locale templates
CHANGES-1.5.txt cups Makedefs.in test
CHANGES-1.6.txt cups-config.in Makedefs.in.0755 vcnet
CHANGES-1.7.txt cups-config.in.multilib Makedefs.in.lspp xcode
CHANGES-IPPTOOL.txt data Makefile
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r process_browse .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'Resource FQDN' .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'hptr' .
(all these identifiers appear in the scheduler/dirsvc.c portion of the patch).
Please enlighten me.
-- Shlomi Fish
It's for RHEL-6. That functionality was removed in CUPS 1.6.
(In reply to Tim Waugh from comment #7)
> It's for RHEL-6. That functionality was removed in CUPS 1.6.
Thanks for the insight! I'll update the Mageia bug.