It was reported that ANSI escape sequences could be added to printer names in CUPS. Becaue CUPS has a browsing feature that, when enabled, allows remote hosts to announce shared printers, a malicious host or user could send a specially-crafted UDP packet to a CUPS server announcing an arbitrary printer name that includes ANSI escape sequences. Since the CUPS daemon does not remove these characters, a user on the targeted system could query the printer list (using 'lpstat -a', for example). If this were done in a terminal that supported the ANSI escape sequences (like a terminal with support for color), then code execution could be possible as the terminal would interpret the ANSI escape sequences contained in the printer name.
Created attachment 916761 [details] untested patch
(In reply to Tim Waugh from comment #4) > Created attachment 916761 [details] > untested patch I tested it and it works for me.
Hi all, I was referred to this bug from https://bugs.mageia.org/show_bug.cgi?id=15562 . (In reply to Jiri Popelka from comment #5) > (In reply to Tim Waugh from comment #4) > > Created attachment 916761 [details] > > untested patch > > I tested it and it works for me. Which version of the Fedora/Red Hat CUPS package is this patch for? It does not seem to apply cleanly against the one from RawHide: <<< shlomif@telaviv1:~/progs/Rpms$ cd BUILD/cups-2.0.2/ shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ ls autom4te.cache CHANGES.txt desktop man backend conf doc monitor berkeley config.h.in examples notifier cgi-bin config.h.in.lspp filter packaging CHANGES-1.0.txt config-scripts install-sh ppdc CHANGES-1.1.txt configure INSTALL.txt README.txt CHANGES-1.2.txt configure.ac IPPTOOL.txt scheduler CHANGES-1.3.txt configure.ac.lspp LICENSE.txt systemv CHANGES-1.4.txt CREDITS.txt locale templates CHANGES-1.5.txt cups Makedefs.in test CHANGES-1.6.txt cups-config.in Makedefs.in.0755 vcnet CHANGES-1.7.txt cups-config.in.multilib Makedefs.in.lspp xcode CHANGES-IPPTOOL.txt data Makefile shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r process_browse . shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'Resource FQDN' . shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'hptr' . shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ >>> (all these identifiers appear in the scheduler/dirsvc.c portion of the patch). Please enlighten me. Regards, -- Shlomi Fish
It's for RHEL-6. That functionality was removed in CUPS 1.6.
(In reply to Tim Waugh from comment #7) > It's for RHEL-6. That functionality was removed in CUPS 1.6. Thanks for the insight! I'll update the Mageia bug.