Your submission was sent successfully! Close

CVE-2014-8166

Published: 12 January 2018

The browsing feature in the server in CUPS does not filter ANSI escape sequences from shared printer names, which might allow remote attackers to execute arbitrary code via a crafted printer name.

Priority

Low

CVSS 3 base score: 8.8

Status

Package Release Status
cups
Launchpad, Ubuntu, Debian
artful Not vulnerable
(code not present)
bionic Not vulnerable
(code not present)
lucid Ignored
(reached end-of-life)
precise Does not exist
(precise was needs-triage)
trusty Does not exist
(trusty was not-affected [code not present])
upstream Needs triage

utopic Ignored
(reached end-of-life)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Not vulnerable
(code not present)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)

Notes

AuthorNote
sbeattie
printer names with ANSI escape sequences were allowed, can
cause issues when doing lpstat -a in a terminal
requires malicious adding of printers
mdeslaur
this code was removed in cups 1.6

References

Bugs