Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data
From: Josh Bressers <bressers () redhat com>
Date: Fri, 29 Jul 2011 16:04:12 -0400 (EDT)

Steve,

Can you weigh in on how to assign this one. I'm thinking we want two IDs,
but I know in the past one ID has been used for catchall type IDs (I'm not
sure if that's simply done due to lack of details).

Thanks.

-- 
    JB

----- Original Message -----
Hello Josh, Steve, vendors,

by further investigation of hplip CVE-2011-2722 issue:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2722

Tim Waugh noticed the similar issue being present also in foomatic-rip
universal print filter, when debug mode is enabled. Further details:

It was found that foomatic-rip filter used insecurely created
temporary
file for storage of PostScript data by rendering the data, intended to
be sent to the PostScript filter, when the debug mode was enabled. A
local attacker could use this flaw to conduct symlink attacks
(overwrite
arbitrary file accessible with the privileges of the user running the
foomatic-rip universal print filter).

Relevant source code part (Perl script part / foomatic-rip.in):
===============================================================
100 my $logfile = "/tmp/foomatic-rip";
..
3454 # In debug mode save the data supposed to be fed
into the
3455 # renderer also into a file
3456 if ($debug) {
3457 $commandline = "tee -a ${logfile}.ps | ( $commandline )";
3458 }

Note: The $logfile variable declaration (line #100) is not an insecure
temporary file use issue itself, since this danger (and its proper
usage) is documented in /etc/foomatic/filters.conf file.

Relevant source code part (C script part / renderer.c):
========================================================
436 /* Save the data supposed to be fed into the renderer
also int o a file*/
437 dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( ");
438 dstrcat(commandline, ")");
439 }

Note: The LOG_FILE variable declaration by itself is not an insecure
temporary file use, since this danger (and its proper usage)
is documented in /etc/foomatic/filters.conf file.

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=726426

Credit: Issue discovered by Tim Waugh

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault