Bug 758374 (CVE-2011-4405)

Summary: CVE-2011-4405 system-config-printer: possible MITM due to use of insecure connections
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jpopelka, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-30 17:45:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 758385    
Bug Blocks: 758381    
Attachments:
Description Flags
patch from Debian to correct the issue none

Description Vincent Danen 2011-11-29 17:25:04 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4405 to
the following vulnerability:

Name: CVE-2011-4405
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4405
Assigned: 20111107
Reference: http://www.ubuntu.com/usn/USN-1265-1
Reference: http://www.securityfocus.com/bid/50721
Reference: http://osvdb.org/77214
Reference: http://secunia.com/advisories/46909
Reference: XF:systemconfigprinter-packages-mitm(71394)
Reference: http://xforce.iss.net/xforce/xfdb/71394

The cupshelpers scripts in system-config-printer in Ubuntu 11.04 and
11.10, as used by the automatic printer driver download service, uses
an "insecure connection" for queries to the OpenPrinting database,
which allows remote attackers to execute arbitrary code via a
man-in-the-middle (MITM) attack that modifies packages or
repositories.


A patch [1] is available to correct this flaw, and the affected openprinting.py script is found in both Red Hat Enterprise Linux 6 and Fedora.  The original bug [2] is still private.

[1] http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/oneiric/system-config-printer/oneiric-security/revision/209/debian/patches/74_CVE-2011-4405.patch
[2] https://bugs.launchpad.net/ubuntu/+source/system-config-printer/+bug/882553
Comment 1 Vincent Danen 2011-11-29 17:34:10 UTC 
Created attachment 538144 [details]
patch from Debian to correct the issue

Local copy of the patch to fix the flaw.
Comment 2 Vincent Danen 2011-11-29 17:35:07 UTC 
Created system-config-printer tracking bugs for this issue

Affects: fedora-all [bug 758385]
Comment 3 Tim Waugh 2011-11-29 17:38:11 UTC 
Note that nothing we ship in Fedora or Red Hat Enterprise Linux is actually
vulnerable to this.

Ubuntu was vulnerable in two ways as I understand it.

Firstly, Jockey (their automated firmware downloader) uses the openprinting
download functionality, and we do not ship Jockey.

Secondly there is a facility in system-config-printer for installing drivers
from openprinting.org.  However, we ship system-config-printer in such a way
that it does *not* install driver packages from openprinting.org, only PPDs
(with user consent).  This is not user-configurable -- Ubuntu ships with this
changed at source level.
Comment 6 Vincent Danen 2011-11-30 17:45:25 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of system-config-printer as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not include support for installing driver packages from the OpenPrinting database, only PPDs (with user consent).