Bug 758374 (CVE-2011-4405) - CVE-2011-4405 system-config-printer: possible MITM due to use of insecure connections
Summary: CVE-2011-4405 system-config-printer: possible MITM due to use of insecure con...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-4405
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 758385
Blocks: 758381
TreeView+ depends on / blocked
 
Reported: 2011-11-29 17:25 UTC by Vincent Danen
Modified: 2021-02-24 13:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-30 17:45:25 UTC
Embargoed:


Attachments (Terms of Use)
patch from Debian to correct the issue (2.86 KB, patch)
2011-11-29 17:34 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2011-11-29 17:25:04 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4405 to
the following vulnerability:

Name: CVE-2011-4405
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4405
Assigned: 20111107
Reference: http://www.ubuntu.com/usn/USN-1265-1
Reference: http://www.securityfocus.com/bid/50721
Reference: http://osvdb.org/77214
Reference: http://secunia.com/advisories/46909
Reference: XF:systemconfigprinter-packages-mitm(71394)
Reference: http://xforce.iss.net/xforce/xfdb/71394

The cupshelpers scripts in system-config-printer in Ubuntu 11.04 and
11.10, as used by the automatic printer driver download service, uses
an "insecure connection" for queries to the OpenPrinting database,
which allows remote attackers to execute arbitrary code via a
man-in-the-middle (MITM) attack that modifies packages or
repositories.


A patch [1] is available to correct this flaw, and the affected openprinting.py script is found in both Red Hat Enterprise Linux 6 and Fedora.  The original bug [2] is still private.

[1] http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/oneiric/system-config-printer/oneiric-security/revision/209/debian/patches/74_CVE-2011-4405.patch
[2] https://bugs.launchpad.net/ubuntu/+source/system-config-printer/+bug/882553

Comment 1 Vincent Danen 2011-11-29 17:34:10 UTC
Created attachment 538144 [details]
patch from Debian to correct the issue

Local copy of the patch to fix the flaw.

Comment 2 Vincent Danen 2011-11-29 17:35:07 UTC
Created system-config-printer tracking bugs for this issue

Affects: fedora-all [bug 758385]

Comment 3 Tim Waugh 2011-11-29 17:38:11 UTC
Note that nothing we ship in Fedora or Red Hat Enterprise Linux is actually
vulnerable to this.

Ubuntu was vulnerable in two ways as I understand it.

Firstly, Jockey (their automated firmware downloader) uses the openprinting
download functionality, and we do not ship Jockey.

Secondly there is a facility in system-config-printer for installing drivers
from openprinting.org.  However, we ship system-config-printer in such a way
that it does *not* install driver packages from openprinting.org, only PPDs
(with user consent).  This is not user-configurable -- Ubuntu ships with this
changed at source level.

Comment 6 Vincent Danen 2011-11-30 17:45:25 UTC
Statement:

Not vulnerable. This issue did not affect the versions of system-config-printer as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not include support for installing driver packages from the OpenPrinting database, only PPDs (with user consent).


Note You need to log in before you can comment on or make changes to this bug.