Bug 319921 (CVE-2007-5208) - CVE-2007-5208 hplip arbitrary command execution
Summary: CVE-2007-5208 hplip arbitrary command execution
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-5208
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 320011 320021 329111 329121
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-05 10:16 UTC by Tomas Hoger
Modified: 2019-09-29 12:21 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-19 10:34:47 UTC
Embargoed:


Attachments (Terms of Use)
Patch provided by Kees (3.66 KB, patch)
2007-10-05 10:18 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0960 0 normal SHIPPED_LIVE Important: hplip security update 2007-10-11 18:26:04 UTC

Description Tomas Hoger 2007-10-05 10:16:30 UTC
Kees Cook of the Ubuntu Security Team has informed us of following security
vulnerability in hplip:

I just discovered that the hpssd daemon of hplip is vulnerable to
arbitrary command injection via its use of popen3.  Other local users
can run commands as the invoker of hpssd (usually root, hplip, or a
local user).  By default, it only listens on localhost, but this is
configurable via /etc/hp/hplip.conf, so in the worst-case it is possible
this could allow remote root command execution.

Both 2.x and 1.x series appear vulnerable (but not 0.x which used SMTP).

The bug for this is: https://launchpad.net/bugs/149121

Comment 1 Tomas Hoger 2007-10-05 10:18:29 UTC
Created attachment 217201 [details]
Patch provided by Kees

Comment 3 Tomas Hoger 2007-10-05 10:29:26 UTC
hplip is shipped with Red Hat Enterprise Linux 5.  This is default configuration:

- hpssd daemon in enabled by default after hplip package is installed
- hpssd only listens on 127.0.0.1
- hpssd is run under user root
- hpssd is further restricted by SELinux policy, daemon runs confined in hplip_t
domain

In Fedora 7, hpssd is not enabled by default.


Comment 9 Tomas Hoger 2007-10-08 09:42:53 UTC
Correction to comment #3:

hpssd IS enabled by default after hplip package installation on current Fedora
versions (FC6, F7).  Upcoming Fedora 8 does not run hpssd daemon any more.

Comment 11 Mark J. Cox 2007-10-11 17:56:38 UTC
removing embargo, now public.


Note You need to log in before you can comment on or make changes to this bug.