|
Message-ID: <5510EB20.7020405@redhat.com>
Date: Mon, 23 Mar 2015 22:42:08 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
security@...le.com
Subject: CVE-2014-8166 cups: code execution via unescape ANSI escape sequences
So this one is pretty hard to cause exploitation without heavy social
engineering/etc.
https://bugzilla.redhat.com/show_bug.cgi?id=1084577
It was reported that ANSI escape sequences could be added to printer
names in CUPS. Becaue CUPS has a browsing feature that, when enabled,
allows remote hosts to announce shared printers, a malicious host or
user could send a specially-crafted UDP packet to a CUPS server
announcing an arbitrary printer name that includes ANSI escape
sequences. Since the CUPS daemon does not remove these characters, a
user on the targeted system could query the printer list (using 'lpstat
-a', for example). If this were done in a terminal that supported the
ANSI escape sequences (like a terminal with support for color), then
code execution could be possible as the terminal would interpret the
ANSI escape sequences contained in the printer name.
A patch for this is available at
https://bugzilla.redhat.com/attachment.cgi?id=916761
My apologies, this issue has been sitting way to long and is certainly
not worth a long embargo.
I can't wait till I'm done cleaning house of all these embargoed issues
that shouldn't be embargoed. I strongly urge other vendors to do the same.
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.