Bug 725830 - (CVE-2011-2722) CVE-2011-2722 hplip: insecure temporary file handling
CVE-2011-2722 hplip: insecure temporary file handling
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 725831 846232 883650
Blocks: 816611 855229
  Show dependency treegraph
Reported: 2011-07-26 13:27 EDT by Vincent Danen
Modified: 2014-11-20 15:02 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 23:31:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
hplip-CVE-2011-2722.patch (747 bytes, patch)
2011-07-29 05:48 EDT, Tim Waugh
no flags Details | Diff

  None (edit)
Description Vincent Danen 2011-07-26 13:27:49 EDT
A temporary file handling flaw was reported [1] in prnt/hpijs/hpcupsfax.cpp, the hplip HP CUPS filter.  Because a predicatable temporary filename is used (/tmp/hpcupsfax.out), an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running the HP CUPS fax filter.

422     FILE    *fp;
423     fp = NULL;
424     if (iLogLevel & SAVE_PCL_FILE)
425     {
426         fp = fopen ("/tmp/hpcupsfax.out", "w");
427         system ("chmod 666 /tmp/hpcupsfax.out");
428     }
429     while ((i = read (fdFax, pTmp, iSize)) > 0)
430     {
431         write (STDOUT_FILENO, pTmp, i);
432         if (iLogLevel & SAVE_PCL_FILE && fp)
433         {
434             fwrite (pTmp, 1, i, fp);
435         }
436     }
437     free (pTmp);

This flaw only exists in hplip 3.x and is not present in earlier versions of hplip.

[1] https://bugzilla.novell.com/show_bug.cgi?id=704608


This issue did not affect the versions of hplip as shipped with Red Hat Enterprise Linux 5. A future update in Red Hat Enterprise Linux 5 (for hplip3) and 6 may address this flaw.
Comment 1 Vincent Danen 2011-07-26 13:29:27 EDT
Created hplip tracking bugs for this issue

Affects: fedora-all [bug 725831]
Comment 2 Vincent Danen 2011-07-26 16:44:58 EDT
This was assigned the name CVE-2011-2722:

Comment 3 Tim Waugh 2011-07-29 05:48:08 EDT
Created attachment 515866 [details]

Suggested patch.  This patch keeps the predictable filename since it needs to be located by the operator after a print job; however, it now creates the file safely.
Comment 4 Jiri Popelka 2011-10-04 09:04:42 EDT

Upstream (HPLIP) bug is https://bugs.launchpad.net/hplip/+bug/809904

Fix for this problem was released in upstream version hplip-3.11.10.
Comment 7 errata-xmlrpc 2013-01-08 00:12:57 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0133 https://rhn.redhat.com/errata/RHSA-2013-0133.html
Comment 9 errata-xmlrpc 2013-02-21 02:55:52 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0500 https://rhn.redhat.com/errata/RHSA-2013-0500.html
Comment 10 Huzaifa S. Sidhpurwala 2013-02-21 23:31:02 EST


Note You need to log in before you can comment on or make changes to this bug.