Your message dated Sun, 03 Mar 2013 18:47:55 +0000 with message-id <E1UCDwx-0001gt-Do@franck.debian.org> and subject line Bug#701185: fixed in hplip 3.12.6-3.1 has caused the Debian Bug report #701185, regarding CVE-2013-0200: Insecure temporary files to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 701185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701185 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: CVE-2013-0200: Insecure temporary files
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Fri, 22 Feb 2013 15:15:13 +0100
- Message-id: <20130222141512.12046.52556.reportbug@m25s06.vlinux.de>
Package: hplip Severity: grave Tags: security Justification: user security hole Several further insecurely handled temporary files were discovered by Red Hat: https://www.redhat.com/archives/enterprise-watch-list/2013-February/msg00024.html I've extracted the patch from the RHEL update, it's attached to this mail. Cheers, Moritzdiff -up hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp --- hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200 2013-01-22 10:57:13.651460928 +0000 +++ hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp 2013-01-22 10:57:34.087541538 +0000 @@ -637,19 +637,22 @@ int HPCupsFilter::processRasterData(cups { char szFileName[32]; memset(szFileName, 0, sizeof(szFileName)); - snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp", current_page_number); + snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp.XXXXXX", current_page_number); if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW || cups_header.cupsColorSpace == CUPS_CSPACE_RGB) { - cfp = fopen (szFileName, "w"); - chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + int fd = mkstemp (szFileName); + if (fd != -1) + cfp = fdopen (fd, "w"); } if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW || cups_header.cupsColorSpace == CUPS_CSPACE_K) { - szFileName[17] = 'k'; - kfp = fopen (szFileName, "w"); - chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + int fd; + snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterk_%d.bmp.XXXXXX", current_page_number); + fd = mkstemp (szFileName); + if (fd != -1) + kfp = fdopen (fd, "w"); } WriteBMPHeader (cfp, cups_header.cupsWidth, cups_header.cupsHeight, COLOR_RASTER); diff -up hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/SystemServices.cpp --- hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200 2012-04-10 09:32:37.000000000 +0100 +++ hplip-3.12.4/prnt/hpcups/SystemServices.cpp 2013-01-22 10:57:34.088541545 +0000 @@ -36,10 +36,12 @@ SystemServices::SystemServices(int iLogL m_fp = NULL; if (iLogLevel & SAVE_PCL_FILE) { + int fd; char fname[32]; - sprintf(fname, "/tmp/hpcups_job%d.out", job_id); - m_fp = fopen(fname, "w"); - chmod(fname, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + sprintf(fname, "/tmp/hpcups_job%d.out.XXXXXX", job_id); + fd = mkstemp (fname); + if (fd != -1) + m_fp = fdopen(fd, "w"); } } diff -up hplip-3.12.4/prnt/hpijs/hpijs.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpijs/hpijs.cpp --- hplip-3.12.4/prnt/hpijs/hpijs.cpp.CVE-2013-0200 2013-01-22 10:57:12.219455275 +0000 +++ hplip-3.12.4/prnt/hpijs/hpijs.cpp 2013-01-22 10:57:34.089541549 +0000 @@ -96,13 +96,12 @@ void setLogLevel(UXServices *pSS) if (pSS->m_iLogLevel & SAVE_PCL_FILE) { + int fd; char szFileName[32]; - sprintf (szFileName, "/tmp/hpijs_%d.out", getpid()); - pSS->outfp = fopen (szFileName, "w"); - if (pSS->outfp) - { - chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); - } + sprintf (szFileName, "/tmp/hpijs_%d.out.XXXXXX", getpid()); + fd = mkstemp (szFileName); + if (fd != -1) + pSS->outfp = fdopen (fd, "w"); } } diff -up hplip-3.12.4/prnt/hpps/hppsfilter.c.CVE-2013-0200 hplip-3.12.4/prnt/hpps/hppsfilter.c --- hplip-3.12.4/prnt/hpps/hppsfilter.c.CVE-2013-0200 2012-04-10 09:32:37.000000000 +0100 +++ hplip-3.12.4/prnt/hpps/hppsfilter.c 2013-01-22 10:57:34.089541549 +0000 @@ -92,10 +92,12 @@ void open_dbg_outfile(char* szjob_id) g_fp_outdbgps = NULL; if (g_savepsfile & SAVE_PS_FILE) { + int fd; char sfile_name[FILE_NAME_SIZE] = {0}; - sprintf(sfile_name, DBG_PSFILE, szjob_id); - g_fp_outdbgps= fopen(sfile_name, "w"); - chmod(sfile_name, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + sprintf(sfile_name, DBG_PSFILE ".XXXXXX", szjob_id); + fd = mkstemp (sfile_name); + if (fd != -1) + g_fp_outdbgps = fdopen(fd, "w"); } }
--- End Message ---
--- Begin Message ---
- To: 701185-close@bugs.debian.org
- Subject: Bug#701185: fixed in hplip 3.12.6-3.1
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Sun, 03 Mar 2013 18:47:55 +0000
- Message-id: <E1UCDwx-0001gt-Do@franck.debian.org>
Source: hplip Source-Version: 3.12.6-3.1 We believe that the bug you reported is fixed in the latest version of hplip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 701185@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Ramacher <sramacher@debian.org> (supplier of updated hplip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 01 Mar 2013 18:21:48 +0100 Source: hplip Binary: hplip hplip-data printer-driver-postscript-hp hplip-gui hplip-dbg hplip-doc hpijs-ppds hpijs printer-driver-hpijs hplip-cups printer-driver-hpcups libhpmud0 libhpmud-dev libsane-hpaio Architecture: source amd64 all Version: 3.12.6-3.1 Distribution: unstable Urgency: high Maintainer: Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org> Changed-By: Sebastian Ramacher <sramacher@debian.org> Description: hpijs - transitional dummy package for hpijs printer driver hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files hplip - HP Linux Printing and Imaging System (HPLIP) hplip-cups - transitional dummy package for hpcups printer driver hplip-data - HP Linux Printing and Imaging - data files hplip-dbg - HP Linux Printing and Imaging - debugging information hplip-doc - HP Linux Printing and Imaging - documentation hplip-gui - HP Linux Printing and Imaging - GUI utilities (Qt-based) libhpmud-dev - HP Multi-Point Transport Driver (hpmud) development libraries libhpmud0 - HP Multi-Point Transport Driver (hpmud) run-time libraries libsane-hpaio - HP SANE backend for multi-function peripherals printer-driver-hpcups - HP Linux Printing and Imaging - CUPS Raster driver (hpcups) printer-driver-hpijs - HP Linux Printing and Imaging - gs IJS driver (hpijs) printer-driver-postscript-hp - HP Printers PostScript Descriptions Closes: 701185 Changes: hplip (3.12.6-3.1) unstable; urgency=high . * Non-maintainer upload. * debian/patches/CVE-2013-0200.patch: Fix CVE-2013-0200 by applying the patch from Red Hat. Additionally increase the buffers to mitigate an regression and a buffer overflow. (Closes: #701185) Checksums-Sha1: 78170246ffff1638f8b5bcf616969151875d2699 3052 hplip_3.12.6-3.1.dsc d6d23cd68c3f7cc12c4052c4e15bfc9500f66c10 306220 hplip_3.12.6-3.1.debian.tar.gz e66398384079ce6ca7a547c35875f11214b9f771 158698 hplip_3.12.6-3.1_amd64.deb 38e44a69fee471d99cb5c74bc341119615717641 1497840 hplip-dbg_3.12.6-3.1_amd64.deb 5d20a29f54639b2be7f0fcf5d5868554f60e139d 425866 printer-driver-hpijs_3.12.6-3.1_amd64.deb c3efb7317dfc31f977de41be77f2e7da06ba5240 381338 printer-driver-hpcups_3.12.6-3.1_amd64.deb a97573076b470927305b4aff35ecad0b3151c0df 180734 libhpmud0_3.12.6-3.1_amd64.deb cfc7039418959ca8381e04ba368f4b4bf0425184 77152 libhpmud-dev_3.12.6-3.1_amd64.deb 2cac57f747693cb75861eabbaa7d20459da1ab74 200846 libsane-hpaio_3.12.6-3.1_amd64.deb a605bbe7fd1f3894e2f5745181d50311dda65c5d 6853812 hplip-data_3.12.6-3.1_all.deb 4aca7b788cd5ad1a17894b87bc604f770446f0ee 788878 printer-driver-postscript-hp_3.12.6-3.1_all.deb 30a4493577a878c8439a9b80f2cd236e405a302b 87128 hplip-gui_3.12.6-3.1_all.deb 60e79402b41470fed10af1f63d9dfbc9dfe05ada 673968 hplip-doc_3.12.6-3.1_all.deb 85397b4b67ecaf84ce4ad0767109deeabf523e57 613078 hpijs-ppds_3.12.6-3.1_all.deb 5a43b5e1e0e74c914be9800797a4fff7c67de787 72496 hpijs_3.12.6-3.1_all.deb 2703fac78865683d40a61658b7ff76bc5f3f69c4 72500 hplip-cups_3.12.6-3.1_all.deb Checksums-Sha256: 4dea5c11b60cfd499f85d62092581e14153601547621e04ddb28849443d6e4a2 3052 hplip_3.12.6-3.1.dsc 36d91837e905874c8c18bfc1b1473f4dbe91c111004370fb4dadfbf306955952 306220 hplip_3.12.6-3.1.debian.tar.gz 5f59dbca3dd715bc4f771e6cd9e1d2e0e442e14ec99c0431db9d7881c5b8f381 158698 hplip_3.12.6-3.1_amd64.deb 5eb96f06d3e4e3fc1bc2c986d1885815c17bfa4fc4f3a226699727e227db9065 1497840 hplip-dbg_3.12.6-3.1_amd64.deb 5be6707943a06e1acaef1f732ab1bfe027fc09f15ae16e944b11b9187da9afb1 425866 printer-driver-hpijs_3.12.6-3.1_amd64.deb ff00ff0baa1c45d2ac137e91ad9a4a12d83f1235210bd3f9b6de67d49766eaab 381338 printer-driver-hpcups_3.12.6-3.1_amd64.deb 5c44647f434a7e4bbccd92951e1fb2ab26b5e5fb264a69eed578092313ce39c8 180734 libhpmud0_3.12.6-3.1_amd64.deb 8612ba03cb672aa03843cf1c1ee23bfb2b1716c4057d6e9bad6f6d9cbb7b9347 77152 libhpmud-dev_3.12.6-3.1_amd64.deb 246373e0286378cf68c6cdeee75e7dda28fb7c4ebde8896d35896a041277d4b0 200846 libsane-hpaio_3.12.6-3.1_amd64.deb 9f12dc61f5b01f85898a7b3bdd68942d9e722bb0f127324e9962c3eacd71eaad 6853812 hplip-data_3.12.6-3.1_all.deb 26638b402444207d0f17b732acc3a1505b5b7a4d72fd4168b38e97a53410ec4a 788878 printer-driver-postscript-hp_3.12.6-3.1_all.deb 6f9a8b35f95475036c4ec6b5c16aaba0d610b15e55ded522b1a0a176c2d7a1dd 87128 hplip-gui_3.12.6-3.1_all.deb b463fe173aa06f3149b338375cbd88df8e5070e462274aa3a5cc8f7def9f6831 673968 hplip-doc_3.12.6-3.1_all.deb 4393f372b38e103d0000111ff64574df7f20867601bcb537185f8611c347d4cb 613078 hpijs-ppds_3.12.6-3.1_all.deb 715831175ab16631c4ff0e5dd30314e77e0aaa6c080afde375cf7536b6955081 72496 hpijs_3.12.6-3.1_all.deb f6eb1fa83cc200eb37a99bb0a5709cc87546a41416e8290f576e8668a45ef5e9 72500 hplip-cups_3.12.6-3.1_all.deb Files: 9a456ca1a1231ff444bc076dd4246dcc 3052 utils optional hplip_3.12.6-3.1.dsc 04e666f229548336e3fe5e0e25e369f2 306220 utils optional hplip_3.12.6-3.1.debian.tar.gz 54af9e45bddb6f46062c3810e3b2b258 158698 utils optional hplip_3.12.6-3.1_amd64.deb 64d8834f290a5cf3bd4591f6a286c2a1 1497840 debug extra hplip-dbg_3.12.6-3.1_amd64.deb 9a278921300c30aba8f7be9363bcd8bb 425866 text optional printer-driver-hpijs_3.12.6-3.1_amd64.deb 85690721d407321f1a0316538f1e80f9 381338 text optional printer-driver-hpcups_3.12.6-3.1_amd64.deb 486406528bf755dc0f588e2d0c6fb18b 180734 libs optional libhpmud0_3.12.6-3.1_amd64.deb eba02f778d94ba0a6ed40aa2a19baf43 77152 libdevel optional libhpmud-dev_3.12.6-3.1_amd64.deb 156eb72d6c5109ea24d7efbc44f7c1ac 200846 libs optional libsane-hpaio_3.12.6-3.1_amd64.deb e07a6d46c2cebbc96c5ed0441679ad08 6853812 utils optional hplip-data_3.12.6-3.1_all.deb 07e92cc00edb026b940a3c972c3fa023 788878 utils optional printer-driver-postscript-hp_3.12.6-3.1_all.deb c9f699d71788233418f0f76e0f217c1a 87128 utils optional hplip-gui_3.12.6-3.1_all.deb 7b54d6b99f3dcbf9714c113dc51ff8ef 673968 doc optional hplip-doc_3.12.6-3.1_all.deb b6700c3ba8ee403dbd32b03e81c84b85 613078 utils optional hpijs-ppds_3.12.6-3.1_all.deb 31f090843d1275fec8dccba5f23f1582 72496 oldlibs extra hpijs_3.12.6-3.1_all.deb ca83336ffd6c6a5dd7754ecd5bdd5c72 72500 oldlibs extra hplip-cups_3.12.6-3.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRMO7bAAoJEGny/FFupxmT5owP/0u5s6G20e45AucspdB4jD3K xqW1vkI8pf5MWMUVXf52MKz5Ut57wPfxdvHUI2al5Ix5/3yh4eT24BkuMF4+5l+a 1DrsV2vjZb0Vp311qkVV2WgswA2pJOnc5HyLAWlLjL66ANYzv2y/ZsfV3wKMBYzJ KbFfeQJvHap5jK2kqA+9CgsFZM6tj82amR4aCwFnyJuAPzvQKpppeVxoI1wpplbH JOdeZJz6EvKRUWbpDrW2G41ofv3yv2dqjrBRUNyGLWwpPLybgAMOBRSSxYE6BNsC 6xWhOiPGt3z9i9S6fdggYR8xxyMU7/XIrPrszpXP4GGcOzJBsDh6n0U6BcfLxvSO /9Nb3V7QsgFu+vYyMIaR13PbPdeljO8gGgj5vEWEd4ByKlrgChSOk7j3dUiEm0MP WpQ9a166/QuAkFe331f9LZUEpj8zILnvJ1AVBMEblsDPJ7eXxe5/vHG/GNG33f2T o75tz3lisHLFUqlNxuHQ/wETtr6NOnoBWtipGTTab3ydV5cj33vWjNQkQPmFOwu4 4WLMzRraHngbwEaVCK3jTB2at0hm7R6fjvpYrWk1TXt0GRaj5Ms9152uXS3Vxgw0 xOOSVlxhg4dQbclOcWFhLEOKALusfo06IBTwN8JN4gvJmzJwKPUUHEUEjg61eG/4 ro8IK9UhJWgMq0xD8doC =t6WX -----END PGP SIGNATURE-----
--- End Message ---