[Pkg-hpijs-devel] Bug#701185: CVE-2013-0200: Insecure temporary files

Sebastian Ramacher sramacher at debian.org
Fri Mar 1 15:35:28 UTC 2013 

Control: found -1 3.10.6-2+squeeze1
Control: found -1 3.12.6-3
Control: found -1 3.12.11-1

All versions that are currently in the archive are affected by this
bug.

On 2013-02-22 15:15:13, Moritz Muehlenhoff wrote:
> Package: hplip
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Several further insecurely handled temporary files were discovered by Red Hat:
> https://www.redhat.com/archives/enterprise-watch-list/2013-February/msg00024.html
> 
> I've extracted the patch from the RHEL update, it's attached to this mail.

The patch introduces one buffer overflow and an regression.

> diff -up hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp
> --- hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200	2013-01-22 10:57:13.651460928 +0000
> +++ hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp	2013-01-22 10:57:34.087541538 +0000
> @@ -637,19 +637,22 @@ int HPCupsFilter::processRasterData(cups
>          {
>              char    szFileName[32];
>              memset(szFileName, 0, sizeof(szFileName));
> -            snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp", current_page_number);
> +            snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp.XXXXXX", current_page_number);

If current_page_number is larger than 9, the last six characters of
szFileName won't be XXXXXX and hence mkstemp will fail with EINVAL.

> diff -up hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/SystemServices.cpp
> --- hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200	2012-04-10 09:32:37.000000000 +0100
> +++ hplip-3.12.4/prnt/hpcups/SystemServices.cpp	2013-01-22 10:57:34.088541545 +0000
> @@ -36,10 +36,12 @@ SystemServices::SystemServices(int iLogL
>      m_fp = NULL;
>      if (iLogLevel & SAVE_PCL_FILE)
>      {
> +	int	fd;
>          char    fname[32];
> -        sprintf(fname, "/tmp/hpcups_job%d.out", job_id);
> -        m_fp = fopen(fname, "w");
> -        chmod(fname, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
> +        sprintf(fname, "/tmp/hpcups_job%d.out.XXXXXX", job_id);

job_id > 100000 will cause a buffer overflow. According to cups' API
documentation job_id can be up to 2^31-1 [1].

The attached patch makes the buffers large enough. I'll prepare a NMU
later today if nobody beats me to it.

Regards

[1] http://www.cups.org/documentation.php/api-cups.html#PRINT_JOBS
-- 
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hplip-CVE-2013-0200.patch
Type: text/x-diff
Size: 3058 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-hpijs-devel/attachments/20130301/00158266/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-hpijs-devel/attachments/20130301/00158266/attachment.pgp>

More information about the Pkg-hpijs-devel mailing list