Ubuntu
hplip package

hpssd vulnerable to command injection

Bug #149121 reported by Kees Cook on 2007-10-04

266

Affects		Status	Importance	Assigned to	Milestone
	hplip (Ubuntu)	Fix Released	Medium	Kees Cook	Ubuntu ubuntu-7.10-rc
	Dapper	Invalid	Undecided	Kees Cook
	Edgy	Fix Released	Medium	Kees Cook
	Feisty	Fix Released	Medium	Kees Cook
	Gutsy	Fix Released	Medium	Kees Cook	Ubuntu ubuntu-7.10-rc

Bug Description

Binary package hint: hplip

hpssd calls sendmail via strings instead of via an array, and does no validation of from-network inputs. As a result, the "from_address" can be injected into hpssd, causing any local user to run commands as the invoker of hpssd.

CVE References

2007-5208

Revision history for this message

Kees Cook (kees) wrote on 2007-10-04:

#1

fix to use subprocess Edit (3.7 KiB, text/plain)

Fix for hpssd.py and scan.py (which also uses open3 instead of subprocess, though I did not check to see if scan's from_address is injectable)

Kees Cook (kees) on 2007-10-04

Changed in hplip:
assignee:	nobody → keescook
importance:	Undecided → Medium
status:	New → In Progress
assignee:	nobody → keescook
status:	New → In Progress

Revision history for this message

Kees Cook (kees) wrote on 2007-10-04:

#2

Dapper (0.x hplip) is not vulnerable. (This code was using SMTP directly.)

Changed in hplip:
assignee:	nobody → keescook
importance:	Undecided → Medium
status:	New → In Progress
assignee:	nobody → keescook
status:	New → Invalid
importance:	Undecided → Medium

Revision history for this message

Till Kamppeter (till-kamppeter) wrote on 2007-10-04:

#3

Fixed packages for Gutsy are on their way. Get the packages for immediate testing on

http://www.linux-foundation.org/~till/tmp/ubuntu/gutsy/hplip/

Changed in hplip:
status:	In Progress → Fix Committed

Revision history for this message

Kees Cook (kees) wrote on 2007-10-04:

#4

This is CVE-2007-5208

Revision history for this message

Till Kamppeter (till-kamppeter) wrote on 2007-10-04:

#5

Soory, fix withdrawn. We must wait for the other distros to also supply the fix. Kees Cook will take care of packaging and uploading it in time.

Changed in hplip:
status:	Fix Committed → In Progress

Revision history for this message

Till Kamppeter (till-kamppeter) wrote on 2007-10-04:

#6

Subscribed upstream developers to this bug, so that upstream version gets also fixed.

Revision history for this message

dwelch91 (dwelch91) wrote on 2007-10-05:

#7

Patch applied to HPLIP upstream version on tip. Will be in 2.7.10.

Revision history for this message

Kees Cook (kees) wrote on 2007-10-12:

#8

http://www.ubuntu.com/usn/usn-530-1

Changed in hplip:
status:	In Progress → Fix Released
status:	In Progress → Fix Released
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

fix to use subprocess Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.