Bug#701185: CVE-2013-0200: Insecure temporary files
Package: hplip
Severity: grave
Tags: security
Justification: user security hole
Several further insecurely handled temporary files were discovered by Red Hat:
https://www.redhat.com/archives/enterprise-watch-list/2013-February/msg00024.html
I've extracted the patch from the RHEL update, it's attached to this mail.
Cheers,
Moritz
diff -up hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp
--- hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200 2013-01-22 10:57:13.651460928 +0000
+++ hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp 2013-01-22 10:57:34.087541538 +0000
@@ -637,19 +637,22 @@ int HPCupsFilter::processRasterData(cups
{
char szFileName[32];
memset(szFileName, 0, sizeof(szFileName));
- snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp", current_page_number);
+ snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp.XXXXXX", current_page_number);
if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW ||
cups_header.cupsColorSpace == CUPS_CSPACE_RGB)
{
- cfp = fopen (szFileName, "w");
- chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ int fd = mkstemp (szFileName);
+ if (fd != -1)
+ cfp = fdopen (fd, "w");
}
if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW ||
cups_header.cupsColorSpace == CUPS_CSPACE_K)
{
- szFileName[17] = 'k';
- kfp = fopen (szFileName, "w");
- chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ int fd;
+ snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterk_%d.bmp.XXXXXX", current_page_number);
+ fd = mkstemp (szFileName);
+ if (fd != -1)
+ kfp = fdopen (fd, "w");
}
WriteBMPHeader (cfp, cups_header.cupsWidth, cups_header.cupsHeight, COLOR_RASTER);
diff -up hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/SystemServices.cpp
--- hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200 2012-04-10 09:32:37.000000000 +0100
+++ hplip-3.12.4/prnt/hpcups/SystemServices.cpp 2013-01-22 10:57:34.088541545 +0000
@@ -36,10 +36,12 @@ SystemServices::SystemServices(int iLogL
m_fp = NULL;
if (iLogLevel & SAVE_PCL_FILE)
{
+ int fd;
char fname[32];
- sprintf(fname, "/tmp/hpcups_job%d.out", job_id);
- m_fp = fopen(fname, "w");
- chmod(fname, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ sprintf(fname, "/tmp/hpcups_job%d.out.XXXXXX", job_id);
+ fd = mkstemp (fname);
+ if (fd != -1)
+ m_fp = fdopen(fd, "w");
}
}
diff -up hplip-3.12.4/prnt/hpijs/hpijs.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpijs/hpijs.cpp
--- hplip-3.12.4/prnt/hpijs/hpijs.cpp.CVE-2013-0200 2013-01-22 10:57:12.219455275 +0000
+++ hplip-3.12.4/prnt/hpijs/hpijs.cpp 2013-01-22 10:57:34.089541549 +0000
@@ -96,13 +96,12 @@ void setLogLevel(UXServices *pSS)
if (pSS->m_iLogLevel & SAVE_PCL_FILE)
{
+ int fd;
char szFileName[32];
- sprintf (szFileName, "/tmp/hpijs_%d.out", getpid());
- pSS->outfp = fopen (szFileName, "w");
- if (pSS->outfp)
- {
- chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
- }
+ sprintf (szFileName, "/tmp/hpijs_%d.out.XXXXXX", getpid());
+ fd = mkstemp (szFileName);
+ if (fd != -1)
+ pSS->outfp = fdopen (fd, "w");
}
}
diff -up hplip-3.12.4/prnt/hpps/hppsfilter.c.CVE-2013-0200 hplip-3.12.4/prnt/hpps/hppsfilter.c
--- hplip-3.12.4/prnt/hpps/hppsfilter.c.CVE-2013-0200 2012-04-10 09:32:37.000000000 +0100
+++ hplip-3.12.4/prnt/hpps/hppsfilter.c 2013-01-22 10:57:34.089541549 +0000
@@ -92,10 +92,12 @@ void open_dbg_outfile(char* szjob_id)
g_fp_outdbgps = NULL;
if (g_savepsfile & SAVE_PS_FILE)
{
+ int fd;
char sfile_name[FILE_NAME_SIZE] = {0};
- sprintf(sfile_name, DBG_PSFILE, szjob_id);
- g_fp_outdbgps= fopen(sfile_name, "w");
- chmod(sfile_name, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ sprintf(sfile_name, DBG_PSFILE ".XXXXXX", szjob_id);
+ fd = mkstemp (sfile_name);
+ if (fd != -1)
+ g_fp_outdbgps = fdopen(fd, "w");
}
}
Reply to: