This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 725830 - (CVE-2011-2722) CVE-2011-2722 hplip: insecure temporary file handling
CVE-2011-2722 hplip: insecure temporary file handling
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 725831 846232 883650
Blocks: 816611 855229
  Show dependency treegraph
Reported: 2011-07-26 13:27 EDT by Vincent Danen
Modified: 2014-11-20 15:02 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 23:31:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)
hplip-CVE-2011-2722.patch (747 bytes, patch)
2011-07-29 05:48 EDT, Tim Waugh
no flags Details | Diff

  None (edit)
Description Vincent Danen 2011-07-26 13:27:49 EDT
A temporary file handling flaw was reported [1] in prnt/hpijs/hpcupsfax.cpp, the hplip HP CUPS filter.  Because a predicatable temporary filename is used (/tmp/hpcupsfax.out), an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running the HP CUPS fax filter.

422     FILE    *fp;
423     fp = NULL;
424     if (iLogLevel & SAVE_PCL_FILE)
425     {
426         fp = fopen ("/tmp/hpcupsfax.out", "w");
427         system ("chmod 666 /tmp/hpcupsfax.out");
428     }
429     while ((i = read (fdFax, pTmp, iSize)) > 0)
430     {
431         write (STDOUT_FILENO, pTmp, i);
432         if (iLogLevel & SAVE_PCL_FILE && fp)
433         {
434             fwrite (pTmp, 1, i, fp);
435         }
436     }
437     free (pTmp);

This flaw only exists in hplip 3.x and is not present in earlier versions of hplip.



This issue did not affect the versions of hplip as shipped with Red Hat Enterprise Linux 5. A future update in Red Hat Enterprise Linux 5 (for hplip3) and 6 may address this flaw.
Comment 1 Vincent Danen 2011-07-26 13:29:27 EDT
Created hplip tracking bugs for this issue

Affects: fedora-all [bug 725831]
Comment 2 Vincent Danen 2011-07-26 16:44:58 EDT
This was assigned the name CVE-2011-2722:
Comment 3 Tim Waugh 2011-07-29 05:48:08 EDT
Created attachment 515866 [details]

Suggested patch.  This patch keeps the predictable filename since it needs to be located by the operator after a print job; however, it now creates the file safely.
Comment 4 Jiri Popelka 2011-10-04 09:04:42 EDT

Upstream (HPLIP) bug is

Fix for this problem was released in upstream version hplip-3.11.10.
Comment 7 errata-xmlrpc 2013-01-08 00:12:57 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0133
Comment 9 errata-xmlrpc 2013-02-21 02:55:52 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0500
Comment 10 Huzaifa S. Sidhpurwala 2013-02-21 23:31:02 EST


Note You need to log in before you can comment on or make changes to this bug.