Bug 319921 - (CVE-2007-5208) CVE-2007-5208 hplip arbitrary command execution
CVE-2007-5208 hplip arbitrary command execution
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,impact=important,rep...
: Security
Depends On: 320011 320021 329111 329121
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-05 06:16 EDT by Tomas Hoger
Modified: 2014-11-10 08:33 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-19 05:34:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch provided by Kees (3.66 KB, patch)
2007-10-05 06:18 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2007-10-05 06:16:30 EDT
Kees Cook of the Ubuntu Security Team has informed us of following security
vulnerability in hplip:

I just discovered that the hpssd daemon of hplip is vulnerable to
arbitrary command injection via its use of popen3.  Other local users
can run commands as the invoker of hpssd (usually root, hplip, or a
local user).  By default, it only listens on localhost, but this is
configurable via /etc/hp/hplip.conf, so in the worst-case it is possible
this could allow remote root command execution.

Both 2.x and 1.x series appear vulnerable (but not 0.x which used SMTP).

The bug for this is: https://launchpad.net/bugs/149121
Comment 1 Tomas Hoger 2007-10-05 06:18:29 EDT
Created attachment 217201 [details]
Patch provided by Kees
Comment 3 Tomas Hoger 2007-10-05 06:29:26 EDT
hplip is shipped with Red Hat Enterprise Linux 5.  This is default configuration:

- hpssd daemon in enabled by default after hplip package is installed
- hpssd only listens on 127.0.0.1
- hpssd is run under user root
- hpssd is further restricted by SELinux policy, daemon runs confined in hplip_t
domain

In Fedora 7, hpssd is not enabled by default.
Comment 9 Tomas Hoger 2007-10-08 05:42:53 EDT
Correction to comment #3:

hpssd IS enabled by default after hplip package installation on current Fedora
versions (FC6, F7).  Upcoming Fedora 8 does not run hpssd daemon any more.
Comment 11 Mark J. Cox (Product Security) 2007-10-11 13:56:38 EDT
removing embargo, now public.

Note You need to log in before you can comment on or make changes to this bug.