Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4405 to the following vulnerability: Name: CVE-2011-4405 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4405 Assigned: 20111107 Reference: http://www.ubuntu.com/usn/USN-1265-1 Reference: http://www.securityfocus.com/bid/50721 Reference: http://osvdb.org/77214 Reference: http://secunia.com/advisories/46909 Reference: XF:systemconfigprinter-packages-mitm(71394) Reference: http://xforce.iss.net/xforce/xfdb/71394 The cupshelpers scripts in system-config-printer in Ubuntu 11.04 and 11.10, as used by the automatic printer driver download service, uses an "insecure connection" for queries to the OpenPrinting database, which allows remote attackers to execute arbitrary code via a man-in-the-middle (MITM) attack that modifies packages or repositories. A patch [1] is available to correct this flaw, and the affected openprinting.py script is found in both Red Hat Enterprise Linux 6 and Fedora. The original bug [2] is still private. [1] http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/oneiric/system-config-printer/oneiric-security/revision/209/debian/patches/74_CVE-2011-4405.patch [2] https://bugs.launchpad.net/ubuntu/+source/system-config-printer/+bug/882553
Created attachment 538144 [details] patch from Debian to correct the issue Local copy of the patch to fix the flaw.
Created system-config-printer tracking bugs for this issue Affects: fedora-all [bug 758385]
Note that nothing we ship in Fedora or Red Hat Enterprise Linux is actually vulnerable to this. Ubuntu was vulnerable in two ways as I understand it. Firstly, Jockey (their automated firmware downloader) uses the openprinting download functionality, and we do not ship Jockey. Secondly there is a facility in system-config-printer for installing drivers from openprinting.org. However, we ship system-config-printer in such a way that it does *not* install driver packages from openprinting.org, only PPDs (with user consent). This is not user-configurable -- Ubuntu ships with this changed at source level.
Statement: Not vulnerable. This issue did not affect the versions of system-config-printer as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not include support for installing driver packages from the OpenPrinting database, only PPDs (with user consent).