Bug 894283 (CVE-2012-6108)

Summary: CVE-2012-6108 hplip: default permissions for /var/log/hp are too open
Product: [Other] Security Response Reporter: Petr Sklenar <psklenar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: azelinka, huzaifas, mjc, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-21 03:57:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 9 Huzaifa S. Sidhpurwala 2013-01-21 03:55:07 UTC 
It was found that /var/log/hp and /var/log/hp/tmp are both world-writeable in hplip 3.12.x. This flaw could be used to delete log files from the /var/log/hp directory. 

This flaw has been assigned CVE-2012-6108.

External Reference:

https://bugs.launchpad.net/hplip/+bug/1016507/comments/1
Comment 10 Huzaifa S. Sidhpurwala 2013-01-21 03:57:10 UTC 
Statement:

Not Vulnerable. This issue does not affect the version of hplip and hplip3 as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of hplip as shipped with Red Hat Enterprise Linux 6.
Comment 11 Huzaifa S. Sidhpurwala 2013-01-21 03:57:47 UTC 
This issue does not affect the version of hplip as shipped with Fedora 16, Fedora 17 and Fedora 18.