'Re: [oss-security] CVE Request -- foomatic (foomatic-filters):'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- foomatic (foomatic-filters):
From:       Josh Bressers <bressers () redhat ! com>
Date:       2011-07-29 20:04:12
Message-ID: 1232707585.1685834.1311969852095.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Steve,

Can you weigh in on how to assign this one. I'm thinking we want two IDs,
but I know in the past one ID has been used for catchall type IDs (I'm not
sure if that's simply done due to lack of details).

Thanks.

-- 
    JB

----- Original Message -----
> Hello Josh, Steve, vendors,
> 
> by further investigation of hplip CVE-2011-2722 issue:
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2722
> 
> Tim Waugh noticed the similar issue being present also in foomatic-rip
> universal print filter, when debug mode is enabled. Further details:
> 
> It was found that foomatic-rip filter used insecurely created
> temporary
> file for storage of PostScript data by rendering the data, intended to
> be sent to the PostScript filter, when the debug mode was enabled. A
> local attacker could use this flaw to conduct symlink attacks
> (overwrite
> arbitrary file accessible with the privileges of the user running the
> foomatic-rip universal print filter).
> 
> Relevant source code part (Perl script part / foomatic-rip.in):
> ===============================================================
> 100 my $logfile = "/tmp/foomatic-rip";
> ..
> 3454 # In debug mode save the data supposed to be fed
> into the
> 3455 # renderer also into a file
> 3456 if ($debug) {
> 3457 $commandline = "tee -a ${logfile}.ps | ( $commandline )";
> 3458 }
> 
> Note: The $logfile variable declaration (line #100) is not an insecure
> temporary file use issue itself, since this danger (and its proper
> usage) is documented in /etc/foomatic/filters.conf file.
> 
> Relevant source code part (C script part / renderer.c):
> ========================================================
> 436 /* Save the data supposed to be fed into the renderer
> also int o a file*/
> 437 dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( ");
> 438 dstrcat(commandline, ")");
> 439 }
> 
> Note: The LOG_FILE variable declaration by itself is not an insecure
> temporary file use, since this danger (and its proper usage)
> is documented in /etc/foomatic/filters.conf file.
> 
> References:
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=726426
> 
> Credit: Issue discovered by Tim Waugh
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic