Kees Cook of the Ubuntu Security Team has informed us of following security vulnerability in hplip: I just discovered that the hpssd daemon of hplip is vulnerable to arbitrary command injection via its use of popen3. Other local users can run commands as the invoker of hpssd (usually root, hplip, or a local user). By default, it only listens on localhost, but this is configurable via /etc/hp/hplip.conf, so in the worst-case it is possible this could allow remote root command execution. Both 2.x and 1.x series appear vulnerable (but not 0.x which used SMTP). The bug for this is: https://launchpad.net/bugs/149121
Created attachment 217201 [details] Patch provided by Kees
hplip is shipped with Red Hat Enterprise Linux 5. This is default configuration: - hpssd daemon in enabled by default after hplip package is installed - hpssd only listens on 127.0.0.1 - hpssd is run under user root - hpssd is further restricted by SELinux policy, daemon runs confined in hplip_t domain In Fedora 7, hpssd is not enabled by default.
Correction to comment #3: hpssd IS enabled by default after hplip package installation on current Fedora versions (FC6, F7). Upcoming Fedora 8 does not run hpssd daemon any more.
removing embargo, now public.
Issue was fixed in affected Red Hat Enterprise Linux: https://rhn.redhat.com/errata/RHSA-2007-0960.html and Fedora versions: https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00217.html https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2527