Bug 319921 (CVE-2007-5208)

Summary: CVE-2007-5208 hplip arbitrary command execution
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jrusnack, kreilly, twaugh, ykopkova
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-19 10:34:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 320011, 320021, 329111, 329121    
Bug Blocks:    
Attachments:
Description Flags
Patch provided by Kees none

Description Tomas Hoger 2007-10-05 10:16:30 UTC 
Kees Cook of the Ubuntu Security Team has informed us of following security
vulnerability in hplip:

I just discovered that the hpssd daemon of hplip is vulnerable to
arbitrary command injection via its use of popen3.  Other local users
can run commands as the invoker of hpssd (usually root, hplip, or a
local user).  By default, it only listens on localhost, but this is
configurable via /etc/hp/hplip.conf, so in the worst-case it is possible
this could allow remote root command execution.

Both 2.x and 1.x series appear vulnerable (but not 0.x which used SMTP).

The bug for this is: https://launchpad.net/bugs/149121
Comment 1 Tomas Hoger 2007-10-05 10:18:29 UTC 
Created attachment 217201 [details]
Patch provided by Kees
Comment 3 Tomas Hoger 2007-10-05 10:29:26 UTC 
hplip is shipped with Red Hat Enterprise Linux 5.  This is default configuration:

- hpssd daemon in enabled by default after hplip package is installed
- hpssd only listens on 127.0.0.1
- hpssd is run under user root
- hpssd is further restricted by SELinux policy, daemon runs confined in hplip_t
domain

In Fedora 7, hpssd is not enabled by default.
Comment 9 Tomas Hoger 2007-10-08 09:42:53 UTC 
Correction to comment #3:

hpssd IS enabled by default after hplip package installation on current Fedora
versions (FC6, F7).  Upcoming Fedora 8 does not run hpssd daemon any more.
Comment 11 Mark J. Cox 2007-10-11 17:56:38 UTC 
removing embargo, now public.
Comment 14 Tomas Hoger 2007-12-19 10:34:47 UTC 
Issue was fixed in affected Red Hat Enterprise Linux:

https://rhn.redhat.com/errata/RHSA-2007-0960.html

and Fedora versions:

https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00217.html
https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2527