Kees Cook of the Ubuntu Security Team has informed us of following security
vulnerability in hplip:
I just discovered that the hpssd daemon of hplip is vulnerable to
arbitrary command injection via its use of popen3. Other local users
can run commands as the invoker of hpssd (usually root, hplip, or a
local user). By default, it only listens on localhost, but this is
configurable via /etc/hp/hplip.conf, so in the worst-case it is possible
this could allow remote root command execution.
Both 2.x and 1.x series appear vulnerable (but not 0.x which used SMTP).
The bug for this is: https://launchpad.net/bugs/149121
Created attachment 217201 [details]
Patch provided by Kees
hplip is shipped with Red Hat Enterprise Linux 5. This is default configuration:
- hpssd daemon in enabled by default after hplip package is installed
- hpssd only listens on 127.0.0.1
- hpssd is run under user root
- hpssd is further restricted by SELinux policy, daemon runs confined in hplip_t
In Fedora 7, hpssd is not enabled by default.
Correction to comment #3:
hpssd IS enabled by default after hplip package installation on current Fedora
versions (FC6, F7). Upcoming Fedora 8 does not run hpssd daemon any more.
removing embargo, now public.
Issue was fixed in affected Red Hat Enterprise Linux:
and Fedora versions: