hpssd vulnerable to command injection

Bug #149121 reported by Kees Cook on 2007-10-04
266
Affects Status Importance Assigned to Milestone
hplip (Ubuntu)
Medium
Kees Cook
Dapper
Undecided
Kees Cook
Edgy
Medium
Kees Cook
Feisty
Medium
Kees Cook
Gutsy
Medium
Kees Cook

Bug Description

Binary package hint: hplip

hpssd calls sendmail via strings instead of via an array, and does no validation of from-network inputs. As a result, the "from_address" can be injected into hpssd, causing any local user to run commands as the invoker of hpssd.

CVE References

Kees Cook (kees) wrote :

Fix for hpssd.py and scan.py (which also uses open3 instead of subprocess, though I did not check to see if scan's from_address is injectable)

Kees Cook (kees) on 2007-10-04
Changed in hplip:
assignee: nobody → keescook
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → keescook
status: New → In Progress
Kees Cook (kees) wrote :

Dapper (0.x hplip) is not vulnerable. (This code was using SMTP directly.)

Changed in hplip:
assignee: nobody → keescook
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → keescook
status: New → Invalid
importance: Undecided → Medium
Till Kamppeter (till-kamppeter) wrote :

Fixed packages for Gutsy are on their way. Get the packages for immediate testing on

http://www.linux-foundation.org/~till/tmp/ubuntu/gutsy/hplip/

Changed in hplip:
status: In Progress → Fix Committed
Kees Cook (kees) wrote :

This is CVE-2007-5208

Till Kamppeter (till-kamppeter) wrote :

Soory, fix withdrawn. We must wait for the other distros to also supply the fix. Kees Cook will take care of packaging and uploading it in time.

Changed in hplip:
status: Fix Committed → In Progress
Till Kamppeter (till-kamppeter) wrote :

Subscribed upstream developers to this bug, so that upstream version gets also fixed.

dwelch91 (dwelch91) wrote :

Patch applied to HPLIP upstream version on tip. Will be in 2.7.10.

Kees Cook (kees) wrote :
Changed in hplip:
status: In Progress → Fix Released
status: In Progress → Fix Released
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers