Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1084577 - (CVE-2014-8166) CVE-2014-8166 cups: code execution via unescape ANSI escape sequences
CVE-2014-8166 cups: code execution via unescape ANSI escape sequences
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150324,reported=2...
: Security
Depends On:
Blocks: 1084580
  Show dependency treegraph
 
Reported: 2014-04-04 14:29 EDT by Vincent Danen
Modified: 2015-04-14 06:55 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the CUPS daemon added shared printers announced through the network. A malicious host or user could send a specially crafted UDP packet to a CUPS server that, when processed, could potentially lead to arbitrary code execution with the privileges of the user running the CUPS daemon.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-14 06:53:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
untested patch (4.72 KB, patch)
2014-07-09 08:41 EDT, Tim Waugh 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vincent Danen 2014-04-04 14:29:32 EDT 
It was reported that ANSI escape sequences could be added to printer names in CUPS.  Becaue CUPS has a browsing feature that, when enabled, allows remote hosts to announce shared printers, a malicious host or user could send a specially-crafted UDP packet to a CUPS server announcing an arbitrary printer name that includes ANSI escape sequences.  Since the CUPS daemon does not remove these characters, a user on the targeted system could query the printer list (using 'lpstat -a', for example).  If this were done in a terminal that supported the ANSI escape sequences (like a terminal with support for color), then code execution could be possible as the terminal would interpret the ANSI escape sequences contained in the printer name.
Comment 4 Tim Waugh 2014-07-09 08:41:35 EDT 
Created attachment 916761 [details]
untested patch
Comment 5 Jiri Popelka 2014-07-10 07:38:14 EDT 
(In reply to Tim Waugh from comment #4)
> Created attachment 916761 [details]
> untested patch

I tested it and it works for me.
Comment 6 Shlomi Fish 2015-03-29 03:17:52 EDT 
Hi all,

I was referred to this bug from https://bugs.mageia.org/show_bug.cgi?id=15562 .

(In reply to Jiri Popelka from comment #5)
> (In reply to Tim Waugh from comment #4)
> > Created attachment 916761 [details]
> > untested patch
> 
> I tested it and it works for me.

Which version of the Fedora/Red Hat CUPS package is this patch for? It does not seem to apply cleanly against the one from RawHide:

<<<
shlomif@telaviv1:~/progs/Rpms$ cd BUILD/cups-2.0.2/
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ ls
autom4te.cache       CHANGES.txt              desktop           man
backend              conf                     doc               monitor
berkeley             config.h.in              examples          notifier
cgi-bin              config.h.in.lspp         filter            packaging
CHANGES-1.0.txt      config-scripts           install-sh        ppdc
CHANGES-1.1.txt      configure                INSTALL.txt       README.txt
CHANGES-1.2.txt      configure.ac             IPPTOOL.txt       scheduler
CHANGES-1.3.txt      configure.ac.lspp        LICENSE.txt       systemv
CHANGES-1.4.txt      CREDITS.txt              locale            templates
CHANGES-1.5.txt      cups                     Makedefs.in       test
CHANGES-1.6.txt      cups-config.in           Makedefs.in.0755  vcnet
CHANGES-1.7.txt      cups-config.in.multilib  Makedefs.in.lspp  xcode
CHANGES-IPPTOOL.txt  data                     Makefile
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r process_browse .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'Resource FQDN' .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'hptr' .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ 
>>>

(all these identifiers appear in the scheduler/dirsvc.c portion of the patch).

Please enlighten me.

Regards,

-- Shlomi Fish
Comment 7 Tim Waugh 2015-03-31 07:43:05 EDT 
It's for RHEL-6. That functionality was removed in CUPS 1.6.
Comment 8 Shlomi Fish 2015-03-31 08:00:18 EDT 
(In reply to Tim Waugh from comment #7)
> It's for RHEL-6. That functionality was removed in CUPS 1.6.

‎‎‎Thanks for the insight! I'll update the Mageia bug.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.