hpssd vulnerable to command injection
Bug #149121 reported by
Kees Cook
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
hplip (Ubuntu) |
Fix Released
|
Medium
|
Kees Cook | ||
Dapper |
Invalid
|
Undecided
|
Kees Cook | ||
Edgy |
Fix Released
|
Medium
|
Kees Cook | ||
Feisty |
Fix Released
|
Medium
|
Kees Cook | ||
Gutsy |
Fix Released
|
Medium
|
Kees Cook |
Bug Description
Binary package hint: hplip
hpssd calls sendmail via strings instead of via an array, and does no validation of from-network inputs. As a result, the "from_address" can be injected into hpssd, causing any local user to run commands as the invoker of hpssd.
CVE References
Changed in hplip: | |
assignee: | nobody → keescook |
importance: | Undecided → Medium |
status: | New → In Progress |
assignee: | nobody → keescook |
status: | New → In Progress |
To post a comment you must log in.
Fix for hpssd.py and scan.py (which also uses open3 instead of subprocess, though I did not check to see if scan's from_address is injectable)