• 2 Posts
  • 211 Comments
Joined 1 year ago
cake
Cake day: June 6th, 2023

help-circle













  • Our physics department used KDE managed over network shares implemented by one professor in his free time, in complete defiance of the rest of the university which used windows.

    Even now they’re still holding out strong, whilst Microsoft eats the rest of the university alive.
    (sidenote: I get it, tech support in Linux is vritually non-existent, whilst tech-support in Windows is everywhere)





  • The questionable commit:

        {
          // Add the first line of localized text...
          cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
          while (*text && *text != '\n')
          {
            // Escape ":" and "<"...
            if (*text == ':' || *text == '<')
              cupsFilePrintf(fp, "<%02X>", *text);
            else
              cupsFilePutChar(fp, *text);
            text ++;
          }
          cupsFilePuts(fp, ": \"\"\n");
        }
    

    Can someone explain to me how this allows arbitrary code execution? As far as I can see, all it does iterate through a string and markup some special characters.

    Edit: Okay, after reading the blog post, and this fantastic bug report, it sounds like to print to a CUPS server, you send it a message on port 631 using an IPP (some print protocol) server. CUPS then requests attributes of the IPP server, one of which being the print filter command to run (“Foomatic-rip”) to use to convert a PS or PDF into native print code. By requesting attributes, an exploit involving string escaping through the use of unexpected spaces or quotes can override the Foomatic print command. Arbitrary text can be supplanted, which will then be executed by the CUPS server.