oss-sec mailing list archives
Re: CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data
From: Josh Bressers <bressers () redhat com>
Date: Wed, 17 Aug 2011 15:27:07 -0400 (EDT)
Based on the comments from MITRE, this deserves two IDs. Use CVE-2011-2923 for the perl variant. CVE-2011-2924 for the C variant. Thanks. -- JB ----- Original Message -----
Hello Josh, Steve, vendors, by further investigation of hplip CVE-2011-2722 issue: [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2722 Tim Waugh noticed the similar issue being present also in foomatic-rip universal print filter, when debug mode is enabled. Further details: It was found that foomatic-rip filter used insecurely created temporary file for storage of PostScript data by rendering the data, intended to be sent to the PostScript filter, when the debug mode was enabled. A local attacker could use this flaw to conduct symlink attacks (overwrite arbitrary file accessible with the privileges of the user running the foomatic-rip universal print filter). Relevant source code part (Perl script part / foomatic-rip.in): =============================================================== 100 my $logfile = "/tmp/foomatic-rip"; .. 3454 # In debug mode save the data supposed to be fed into the 3455 # renderer also into a file 3456 if ($debug) { 3457 $commandline = "tee -a ${logfile}.ps | ( $commandline )"; 3458 } Note: The $logfile variable declaration (line #100) is not an insecure temporary file use issue itself, since this danger (and its proper usage) is documented in /etc/foomatic/filters.conf file. Relevant source code part (C script part / renderer.c): ======================================================== 436 /* Save the data supposed to be fed into the renderer also int o a file*/ 437 dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( "); 438 dstrcat(commandline, ")"); 439 } Note: The LOG_FILE variable declaration by itself is not an insecure temporary file use, since this danger (and its proper usage) is documented in /etc/foomatic/filters.conf file. References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=726426 Credit: Issue discovered by Tim Waugh Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data Jan Lieskovsky (Jul 28)
- Re: CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data Josh Bressers (Jul 29)
- Re: CVE Request -- foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data Josh Bressers (Aug 17)