Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4405 to
the following vulnerability:
The cupshelpers scripts in system-config-printer in Ubuntu 11.04 and
11.10, as used by the automatic printer driver download service, uses
an "insecure connection" for queries to the OpenPrinting database,
which allows remote attackers to execute arbitrary code via a
man-in-the-middle (MITM) attack that modifies packages or
A patch  is available to correct this flaw, and the affected openprinting.py script is found in both Red Hat Enterprise Linux 6 and Fedora. The original bug  is still private.
Created attachment 538144 [details]
patch from Debian to correct the issue
Local copy of the patch to fix the flaw.
Created system-config-printer tracking bugs for this issue
Affects: fedora-all [bug 758385]
Note that nothing we ship in Fedora or Red Hat Enterprise Linux is actually
vulnerable to this.
Ubuntu was vulnerable in two ways as I understand it.
Firstly, Jockey (their automated firmware downloader) uses the openprinting
download functionality, and we do not ship Jockey.
Secondly there is a facility in system-config-printer for installing drivers
from openprinting.org. However, we ship system-config-printer in such a way
that it does *not* install driver packages from openprinting.org, only PPDs
(with user consent). This is not user-configurable -- Ubuntu ships with this
changed at source level.
Not vulnerable. This issue did not affect the versions of system-config-printer as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not include support for installing driver packages from the OpenPrinting database, only PPDs (with user consent).