It was reported that ANSI escape sequences could be added to printer names in CUPS. Becaue CUPS has a browsing feature that, when enabled, allows remote hosts to announce shared printers, a malicious host or user could send a specially-crafted UDP packet to a CUPS server announcing an arbitrary printer name that includes ANSI escape sequences. Since the CUPS daemon does not remove these characters, a user on the targeted system could query the printer list (using 'lpstat -a', for example). If this were done in a terminal that supported the ANSI escape sequences (like a terminal with support for color), then code execution could be possible as the terminal would interpret the ANSI escape sequences contained in the printer name.
Created attachment 916761 [details]
(In reply to Tim Waugh from comment #4)
> Created attachment 916761 [details]
> untested patch
I tested it and it works for me.
I was referred to this bug from https://bugs.mageia.org/show_bug.cgi?id=15562 .
(In reply to Jiri Popelka from comment #5)
> (In reply to Tim Waugh from comment #4)
> > Created attachment 916761 [details]
> > untested patch
> I tested it and it works for me.
Which version of the Fedora/Red Hat CUPS package is this patch for? It does not seem to apply cleanly against the one from RawHide:
shlomif@telaviv1:~/progs/Rpms$ cd BUILD/cups-2.0.2/
autom4te.cache CHANGES.txt desktop man
backend conf doc monitor
berkeley config.h.in examples notifier
cgi-bin config.h.in.lspp filter packaging
CHANGES-1.0.txt config-scripts install-sh ppdc
CHANGES-1.1.txt configure INSTALL.txt README.txt
CHANGES-1.2.txt configure.ac IPPTOOL.txt scheduler
CHANGES-1.3.txt configure.ac.lspp LICENSE.txt systemv
CHANGES-1.4.txt CREDITS.txt locale templates
CHANGES-1.5.txt cups Makedefs.in test
CHANGES-1.6.txt cups-config.in Makedefs.in.0755 vcnet
CHANGES-1.7.txt cups-config.in.multilib Makedefs.in.lspp xcode
CHANGES-IPPTOOL.txt data Makefile
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r process_browse .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'Resource FQDN' .
shlomif@telaviv1:~/progs/Rpms/BUILD/cups-2.0.2$ grep -r 'hptr' .
(all these identifiers appear in the scheduler/dirsvc.c portion of the patch).
Please enlighten me.
-- Shlomi Fish
It's for RHEL-6. That functionality was removed in CUPS 1.6.
(In reply to Tim Waugh from comment #7)
> It's for RHEL-6. That functionality was removed in CUPS 1.6.
Thanks for the insight! I'll update the Mageia bug.