Bug 725830 (CVE-2011-2722) - CVE-2011-2722 hplip: insecure temporary file handling
Summary: CVE-2011-2722 hplip: insecure temporary file handling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2722
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 725831 846232 883650
Blocks: 816611 855229
TreeView+ depends on / blocked
 
Reported: 2011-07-26 17:27 UTC by Vincent Danen
Modified: 2019-09-29 12:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-22 04:31:02 UTC


Attachments (Terms of Use)
hplip-CVE-2011-2722.patch (747 bytes, patch)
2011-07-29 09:48 UTC, Tim Waugh
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0133 normal SHIPPED_LIVE Low: hplip3 security and bug fix update 2013-01-08 09:44:58 UTC
Red Hat Product Errata RHSA-2013:0500 normal SHIPPED_LIVE Low: hplip security, bug fix and enhancement update 2013-02-20 21:18:15 UTC

Description Vincent Danen 2011-07-26 17:27:49 UTC
A temporary file handling flaw was reported [1] in prnt/hpijs/hpcupsfax.cpp, the hplip HP CUPS filter.  Because a predicatable temporary filename is used (/tmp/hpcupsfax.out), an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running the HP CUPS fax filter.

422     FILE    *fp;
423     fp = NULL;
424     if (iLogLevel & SAVE_PCL_FILE)
425     {
426         fp = fopen ("/tmp/hpcupsfax.out", "w");
427         system ("chmod 666 /tmp/hpcupsfax.out");
428     }
429     while ((i = read (fdFax, pTmp, iSize)) > 0)
430     {
431         write (STDOUT_FILENO, pTmp, i);
432         if (iLogLevel & SAVE_PCL_FILE && fp)
433         {
434             fwrite (pTmp, 1, i, fp);
435         }
436     }
437     free (pTmp);

This flaw only exists in hplip 3.x and is not present in earlier versions of hplip.

[1] https://bugzilla.novell.com/show_bug.cgi?id=704608


Statement:

This issue did not affect the versions of hplip as shipped with Red Hat Enterprise Linux 5. A future update in Red Hat Enterprise Linux 5 (for hplip3) and 6 may address this flaw.

Comment 1 Vincent Danen 2011-07-26 17:29:27 UTC
Created hplip tracking bugs for this issue

Affects: fedora-all [bug 725831]

Comment 2 Vincent Danen 2011-07-26 20:44:58 UTC
This was assigned the name CVE-2011-2722:

http://www.openwall.com/lists/oss-security/2011/07/26/14

Comment 3 Tim Waugh 2011-07-29 09:48:08 UTC
Created attachment 515866 [details]
hplip-CVE-2011-2722.patch

Suggested patch.  This patch keeps the predictable filename since it needs to be located by the operator after a print job; however, it now creates the file safely.

Comment 4 Jiri Popelka 2011-10-04 13:04:42 UTC
Note:

Upstream (HPLIP) bug is https://bugs.launchpad.net/hplip/+bug/809904

Fix for this problem was released in upstream version hplip-3.11.10.
http://hplipopensource.com/hplip-web/release_notes.html

Comment 7 errata-xmlrpc 2013-01-08 05:12:57 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0133 https://rhn.redhat.com/errata/RHSA-2013-0133.html

Comment 9 errata-xmlrpc 2013-02-21 07:55:52 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0500 https://rhn.redhat.com/errata/RHSA-2013-0500.html

Comment 10 Huzaifa S. Sidhpurwala 2013-02-22 04:31:02 UTC
Statement:

(none)


Note You need to log in before you can comment on or make changes to this bug.