A temporary file handling flaw was reported [1] in prnt/hpijs/hpcupsfax.cpp, the hplip HP CUPS filter. Because a predicatable temporary filename is used (/tmp/hpcupsfax.out), an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running the HP CUPS fax filter. 422 FILE *fp; 423 fp = NULL; 424 if (iLogLevel & SAVE_PCL_FILE) 425 { 426 fp = fopen ("/tmp/hpcupsfax.out", "w"); 427 system ("chmod 666 /tmp/hpcupsfax.out"); 428 } 429 while ((i = read (fdFax, pTmp, iSize)) > 0) 430 { 431 write (STDOUT_FILENO, pTmp, i); 432 if (iLogLevel & SAVE_PCL_FILE && fp) 433 { 434 fwrite (pTmp, 1, i, fp); 435 } 436 } 437 free (pTmp); This flaw only exists in hplip 3.x and is not present in earlier versions of hplip. [1] https://bugzilla.novell.com/show_bug.cgi?id=704608 Statement: This issue did not affect the versions of hplip as shipped with Red Hat Enterprise Linux 5. A future update in Red Hat Enterprise Linux 5 (for hplip3) and 6 may address this flaw.
Created hplip tracking bugs for this issue Affects: fedora-all [bug 725831]
This was assigned the name CVE-2011-2722: http://www.openwall.com/lists/oss-security/2011/07/26/14
Created attachment 515866 [details] hplip-CVE-2011-2722.patch Suggested patch. This patch keeps the predictable filename since it needs to be located by the operator after a print job; however, it now creates the file safely.
Note: Upstream (HPLIP) bug is https://bugs.launchpad.net/hplip/+bug/809904 Fix for this problem was released in upstream version hplip-3.11.10. http://hplipopensource.com/hplip-web/release_notes.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0133 https://rhn.redhat.com/errata/RHSA-2013-0133.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0500 https://rhn.redhat.com/errata/RHSA-2013-0500.html
Statement: (none)