Bug 1035243 (CVE-2013-6402)

Summary: CVE-2013-6402 hplip: insecure temporary file handling in pkit.py
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkurik, jpopelka, jrusnack, pfrields, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-28 05:38:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1035244    
Bug Blocks: 1035247    

Description Ratul Gupta 2013-11-27 11:12:51 UTC 
A temporary file handling flaw was found in hplip/pkit.py. Because a predicatable temporary filename is used, an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running hplip.

This is a different flaw than CVE-2013-0200.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725876
Comment 1 Ratul Gupta 2013-11-27 11:15:01 UTC 
Created hplip tracking bugs for this issue:

Affects: fedora-all [bug 1035244]
Comment 3 Huzaifa S. Sidhpurwala 2013-11-28 05:33:49 UTC 
This issue has been assigned CVE-2013-6402 as per:
http://seclists.org/oss-sec/2013/q4/358
Comment 4 Huzaifa S. Sidhpurwala 2013-11-28 05:38:33 UTC 
Quoting from https://bugzilla.redhat.com/show_bug.cgi?id=1035244#c2

The affected code, which implements the BackendServer class, is shipped (base/pkit.py). However, it only does so if the "policy-kit" configuration variable is set to yes -- and that is not the default for Red Hat Enterprise Linux

Additionally, even if the configuration is changed, the BackendServer class is only instantiated in the pkservice.py module -- and this is explicitly *not* shipped

Statement:

Not Vulnerable. This issue does not affect the version of hplip as shipped with Red Hat Enterprise Linux 5 and 6. This issue does not affect the version of hplip3 as shipped with Red Hat Enterprise Linux 5.