Bug 9153

Summary: hplip new security issue CVE-2013-0200
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: olivier.delaune, sysadmin-bugs, tmb, wrw105
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/539434/
Whiteboard: MGA2-32-OK, MGA2-64-OK
Source RPM: hplip-3.12.4-1.1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-02-21 23:49:47 CET 
RedHat has issued an advisory today (February 21):
https://rhn.redhat.com/errata/RHSA-2013-0500.html

Patched packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated hplip packages fix security vulnerability:

Several temporary file handling flaws were found in HPLIP. A local attacker
could use these flaws to perform a symbolic link attack, overwriting
arbitrary files accessible to a process using HPLIP (CVE-2013-0200).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0200
https://rhn.redhat.com/errata/RHSA-2013-0500.html
========================

Updated packages in core/updates_testing:
========================
hplip-3.12.4-1.2.mga2
libhpip0-3.12.4-1.2.mga2
libhpip0-devel-3.12.4-1.2.mga2
libsane-hpaio1-3.12.4-1.2.mga2
hplip-model-data-3.12.4-1.2.mga2
hplip-gui-3.12.4-1.2.mga2
hplip-hpijs-3.12.4-1.2.mga2
hplip-hpijs-ppds-3.12.4-1.2.mga2
hplip-doc-3.12.4-1.2.mga2

from hplip-3.12.4-1.2.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-02-22 18:22:21 CET 
Patch checked into Mageia 1 SVN.
Comment 2 Bill Wilkinson 2013-02-23 03:47:13 CET 
Testing i586 with hp laserjet 6l printer.

Checked new files written to /tmp --needed a long-ish document to generate files.

before update:

linked files written to /tmp with user and group root

after update:

linked files written to /tmp with user and group as currently logged in user.

/tmp files written during scanning with hp scanjet 5p (SCSI) were not symlinks and were delete upon closing xsane.

able to print with unupdated cups on remote laptop. Apparently due to the greater RAM in the laptop, no files written to /tmp on either machine with up to 12 pages of graphics-heavy ppd attempted.

CC: (none) => wrw105

Comment 3 Bill Wilkinson 2013-02-23 04:25:53 CET 
Per Luigi12: new filenames in /tmp should be:

the filenames from the patched code are /tmp/hpcupsfilterc_%d.bmp.XXXXXX, /tmp/hpcupsfilterk_%d.bmp.XXXXXX, /tmp/hpcups_job%d.out.XXXXXX, /tmp/hpijs_%d.out.XXXXXX, and I'm not sure what the last one is. The %d's are also numbers BTW.

They seem to have been deleted before I could find them.

MGA2-32-OK

Whiteboard: (none) => MGA2-32-OK

Comment 4 David Walser 2013-02-23 04:28:52 CET 
(In reply to Bill Wilkinson from comment #3)
> Per Luigi12: new filenames in /tmp should be:
> 
> the filenames from the patched code are /tmp/hpcupsfilterc_%d.bmp.XXXXXX,
> /tmp/hpcupsfilterk_%d.bmp.XXXXXX, /tmp/hpcups_job%d.out.XXXXXX,
> /tmp/hpijs_%d.out.XXXXXX, and I'm not sure what the last one is. The %d's
> are also numbers BTW.

To be clear, I said also at the end because I'd previously pointed out that the XXXXXX should be a random number as well.
Comment 5 Olivier Delaune 2013-02-23 18:45:55 CET 
Testing on Mageia 2 64-bits with a DCP J140W. I printed test page without any problem.

CC: (none) => olivier.delaune
Whiteboard: MGA2-32-OK => MGA2-32-OK, MGA2-64-OK

Comment 6 claire robinson 2013-02-23 18:50:19 CET 
Thanks guys, well done

Validating

Advisory & srpm in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2013-02-27 22:08:18 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0072

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED