hpssd vulnerable to command injection
Bug #149121 reported by
Kees Cook
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| hplip (Ubuntu) |
Fix Released
|
Medium
|
Kees Cook | ||
| Dapper |
Invalid
|
Undecided
|
Kees Cook | ||
| Edgy |
Fix Released
|
Medium
|
Kees Cook | ||
| Feisty |
Fix Released
|
Medium
|
Kees Cook | ||
| Gutsy |
Fix Released
|
Medium
|
Kees Cook | ||
Bug Description
Binary package hint: hplip
hpssd calls sendmail via strings instead of via an array, and does no validation of from-network inputs. As a result, the "from_address" can be injected into hpssd, causing any local user to run commands as the invoker of hpssd.
CVE References
| Changed in hplip: | |
| assignee: | nobody → keescook |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| assignee: | nobody → keescook |
| status: | New → In Progress |
To post a comment you must log in.

Fix for hpssd.py and scan.py (which also uses open3 instead of subprocess, though I did not check to see if scan's from_address is injectable)