oss-sec mailing list archives

CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 28 Jul 2011 17:00:08 +0200

Hello Josh, Steve, vendors,

  by further investigation of hplip CVE-2011-2722 issue:
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2722

Tim Waugh noticed the similar issue being present also in foomatic-rip
universal print filter, when debug mode is enabled. Further details:

It was found that foomatic-rip filter used insecurely created temporary

file for storage of PostScript data by rendering the data, intended tobe sent to the PostScript filter, when the debug mode was enabled. Alocal attacker could use this flaw to conduct symlink attacks (overwritearbitrary file accessible with the privileges of the user running thefoomatic-rip universal print filter).


Relevant source code part (Perl script part / foomatic-rip.in):
===============================================================
   100 my $logfile = "/tmp/foomatic-rip";
  ..
  3454  # In debug mode save the data supposed to be fed
          into the
  3455  # renderer also into a file
  3456  if ($debug) {
  3457    $commandline = "tee -a ${logfile}.ps | ( $commandline )";
  3458  }

Note: The $logfile variable declaration (line #100) is not an insecure
      temporary file use issue itself, since this danger (and its proper
      usage) is documented in /etc/foomatic/filters.conf file.

Relevant source code part (C script part / renderer.c):
========================================================
   436  /* Save the data supposed to be fed into the renderer
          also int        o a file*/
   437  dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( ");
   438  dstrcat(commandline, ")");
   439  }

Note: The LOG_FILE variable declaration by itself is not an insecure
      temporary file use, since this danger (and its proper usage)
      is documented in /etc/foomatic/filters.conf file.

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=726426

Credit: Issue discovered by Tim Waugh

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data Jan Lieskovsky (Jul 28)
- Re: CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data Josh Bressers (Jul 29)
  - Re: CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data Huzaifa Sidhpurwala (Aug 14)
    - Re: CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data Steven M. Christey (Aug 15)
- Re: CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data Josh Bressers (Aug 17)