insecure tmp file handling in hpcupsfax.cpp
Bug #809904 reported by
Johannes Meixner
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HPLIP |
Fix Released
|
High
|
Sanjay Kumar |
Bug Description
hplip-3.11.5 prnt/hpijs/
-------
if (iLogLevel & SAVE_PCL_FILE)
{
fp = fopen ("/tmp/
system ("chmod 666 /tmp/hpcupsfax.
}
-------
This insecure tmp file handling results
potential read/write of arbitrary files.
CVE References
Changed in hplip: | |
status: | New → Invalid |
assignee: | nobody → Sanjay Kumar (sanjay-kumar14) |
security vulnerability: | yes → no |
visibility: | private → public |
Changed in hplip: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I wonder why there is not any kind of response
from the HPLIP team regarding this security bug?
First and foremost I aks for a response whether or not
the HPLIP developers think it is actually a security bug.
As far as I see the crucial point to decide this is to know
under which exact circumstances the condition
"if (iLogLevel & SAVE_PCL_FILE)" becomes "true".
If "iLogLevel & SAVE_PCL_FILE" is true in in normal operation
(i.e. when it is true by default), it is a security bug.
In contrast if "iLogLevel & SAVE_PCL_FILE" is true only
under special circumstances it may be no security bug.
E.g. when only the user "root" can set someting
so that "iLogLevel & SAVE_PCL_FILE" is true
(e.g. somehow enable debugging mode which is
by default disabled for normal users)
when the issue is no security bug.
I do not have the knowledge to decide this.
Therefore an analysis from the HPLIP team is needed.