Bug 725830 (CVE-2011-2722)

Summary: CVE-2011-2722 hplip: insecure temporary file handling
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jpopelka, jrusnack, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20110713,reported=20110726,source=suse,impact=low,cvss2=1.9/AV:L/AC:M/Au:N/C:N/I:P/A:N,rhel-5/hplip=notaffected,rhel-6/hplip=affected,rhel-5/hplip3=affected,fedora-all/hplip=affected,cwe=CWE-377
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 23:31:02 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 725831, 846232, 883650    
Bug Blocks: 816611, 855229    
Attachments:
Description Flags
hplip-CVE-2011-2722.patch none

Description Vincent Danen 2011-07-26 13:27:49 EDT
A temporary file handling flaw was reported [1] in prnt/hpijs/hpcupsfax.cpp, the hplip HP CUPS filter.  Because a predicatable temporary filename is used (/tmp/hpcupsfax.out), an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running the HP CUPS fax filter.

422     FILE    *fp;
423     fp = NULL;
424     if (iLogLevel & SAVE_PCL_FILE)
425     {
426         fp = fopen ("/tmp/hpcupsfax.out", "w");
427         system ("chmod 666 /tmp/hpcupsfax.out");
428     }
429     while ((i = read (fdFax, pTmp, iSize)) > 0)
430     {
431         write (STDOUT_FILENO, pTmp, i);
432         if (iLogLevel & SAVE_PCL_FILE && fp)
433         {
434             fwrite (pTmp, 1, i, fp);
435         }
436     }
437     free (pTmp);

This flaw only exists in hplip 3.x and is not present in earlier versions of hplip.

[1] https://bugzilla.novell.com/show_bug.cgi?id=704608


Statement:

This issue did not affect the versions of hplip as shipped with Red Hat Enterprise Linux 5. A future update in Red Hat Enterprise Linux 5 (for hplip3) and 6 may address this flaw.
Comment 1 Vincent Danen 2011-07-26 13:29:27 EDT
Created hplip tracking bugs for this issue

Affects: fedora-all [bug 725831]
Comment 2 Vincent Danen 2011-07-26 16:44:58 EDT
This was assigned the name CVE-2011-2722:

http://www.openwall.com/lists/oss-security/2011/07/26/14
Comment 3 Tim Waugh 2011-07-29 05:48:08 EDT
Created attachment 515866 [details]
hplip-CVE-2011-2722.patch

Suggested patch.  This patch keeps the predictable filename since it needs to be located by the operator after a print job; however, it now creates the file safely.
Comment 4 Jiri Popelka 2011-10-04 09:04:42 EDT
Note:

Upstream (HPLIP) bug is https://bugs.launchpad.net/hplip/+bug/809904

Fix for this problem was released in upstream version hplip-3.11.10.
http://hplipopensource.com/hplip-web/release_notes.html
Comment 7 errata-xmlrpc 2013-01-08 00:12:57 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0133 https://rhn.redhat.com/errata/RHSA-2013-0133.html
Comment 9 errata-xmlrpc 2013-02-21 02:55:52 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0500 https://rhn.redhat.com/errata/RHSA-2013-0500.html
Comment 10 Huzaifa S. Sidhpurwala 2013-02-21 23:31:02 EST
Statement:

(none)