Red Hat Bugzilla – Bug 130951
CAN-2004-0801 cupsomatic arbitrary command execution issue
Last modified: 2007-11-30 17:07:03 EST
The cupsomatic driver in foomatic has an issue where if a properly
named file is handed to lpr for printing, it can cause arbitrary
I'll attach the patch when it becomes available.
Fedora core is handled by bug 130949
This issue should also affect RHEL2.1
Created attachment 103115 [details]
This is based on the patch that Klaus Singvogel sent.
Created attachment 103143 [details]
Here's a more detailed patch from Till, it's expected to go into upstream.
Although RHEL2.1 includes the affected code, it does not include CUPS
-- lpdomatic is used instead of cupsomatic.
I think there are some dangerous bits of code in there too.
From Tim Waugh:
The exploit certainly works (with foomatic 3.x) but on closer
inspection it looks like this *particular* exploit only affects the
foomatic-rip script, and that first appeared in foomatic-3.0. We ship
foomatic-2.0.2 in RHEL3.
There were other problems that I fixed however, including an exploit
via the job's title. I can't see any way of exploiting any of these
from the default installation though, and even when customized it has
to be a very unusual type of customization.
To get an exploit to work on RHEL3 I think the administrator would
have to configure CUPS to get foomatic to convert text jobs to
PostScript, rather than performing the task with its own pstops program.
For RHEL-2.1, the only dangerous "open" in lpdomatic was for the data
blob file, which is not user-configurable but may only be changed by
So it actually looks to me like we might not need an advisory here.
I'm in agreement, this does not require a security advisory and can
simply be fixed with the next update that happens to require updated
(Leaving bug open until it becomes unembargoed)