[Pkg-hpijs-devel] Bug#701185: CVE-2013-0200: Insecure temporary files
Sebastian Ramacher
sramacher at debian.org
Fri Mar 1 15:35:28 UTC 2013
Control: found -1 3.10.6-2+squeeze1
Control: found -1 3.12.6-3
Control: found -1 3.12.11-1
All versions that are currently in the archive are affected by this
bug.
On 2013-02-22 15:15:13, Moritz Muehlenhoff wrote:
> Package: hplip
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Several further insecurely handled temporary files were discovered by Red Hat:
> https://www.redhat.com/archives/enterprise-watch-list/2013-February/msg00024.html
>
> I've extracted the patch from the RHEL update, it's attached to this mail.
The patch introduces one buffer overflow and an regression.
> diff -up hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp
> --- hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200 2013-01-22 10:57:13.651460928 +0000
> +++ hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp 2013-01-22 10:57:34.087541538 +0000
> @@ -637,19 +637,22 @@ int HPCupsFilter::processRasterData(cups
> {
> char szFileName[32];
> memset(szFileName, 0, sizeof(szFileName));
> - snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp", current_page_number);
> + snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp.XXXXXX", current_page_number);
If current_page_number is larger than 9, the last six characters of
szFileName won't be XXXXXX and hence mkstemp will fail with EINVAL.
> diff -up hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/SystemServices.cpp
> --- hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200 2012-04-10 09:32:37.000000000 +0100
> +++ hplip-3.12.4/prnt/hpcups/SystemServices.cpp 2013-01-22 10:57:34.088541545 +0000
> @@ -36,10 +36,12 @@ SystemServices::SystemServices(int iLogL
> m_fp = NULL;
> if (iLogLevel & SAVE_PCL_FILE)
> {
> + int fd;
> char fname[32];
> - sprintf(fname, "/tmp/hpcups_job%d.out", job_id);
> - m_fp = fopen(fname, "w");
> - chmod(fname, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
> + sprintf(fname, "/tmp/hpcups_job%d.out.XXXXXX", job_id);
job_id > 100000 will cause a buffer overflow. According to cups' API
documentation job_id can be up to 2^31-1 [1].
The attached patch makes the buffers large enough. I'll prepare a NMU
later today if nobody beats me to it.
Regards
[1] http://www.cups.org/documentation.php/api-cups.html#PRINT_JOBS
--
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hplip-CVE-2013-0200.patch
Type: text/x-diff
Size: 3058 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-hpijs-devel/attachments/20130301/00158266/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-hpijs-devel/attachments/20130301/00158266/attachment.pgp>
More information about the Pkg-hpijs-devel
mailing list