Bug#701185: marked as done (CVE-2013-0200: Insecure temporary files)

Debian Bug Tracking System Sun, 03 Mar 2013 10:51:18 -0800

Your message dated Sun, 03 Mar 2013 18:47:55 +0000
with message-id <e1ucdwx-0001gt...@franck.debian.org>
and subject line Bug#701185: fixed in hplip 3.12.6-3.1
has caused the Debian Bug report #701185,
regarding CVE-2013-0200: Insecure temporary files
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
701185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701185
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: hplip
Severity: grave
Tags: security
Justification: user security hole

Several further insecurely handled temporary files were discovered by Red Hat:
https://www.redhat.com/archives/enterprise-watch-list/2013-February/msg00024.html

I've extracted the patch from the RHEL update, it's attached to this mail.

Cheers,
        Moritz

diff -up hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp
--- hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200	2013-01-22 10:57:13.651460928 +0000
+++ hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp	2013-01-22 10:57:34.087541538 +0000
@@ -637,19 +637,22 @@ int HPCupsFilter::processRasterData(cups
         {
             char    szFileName[32];
             memset(szFileName, 0, sizeof(szFileName));
-            snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp", current_page_number);
+            snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp.XXXXXX", current_page_number);
             if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW ||
                 cups_header.cupsColorSpace == CUPS_CSPACE_RGB)
             {
-                cfp = fopen (szFileName, "w");
-                chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+		int fd = mkstemp (szFileName);
+		if (fd != -1)
+		    cfp = fdopen (fd, "w");
             }
             if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW ||
                 cups_header.cupsColorSpace == CUPS_CSPACE_K)
             {
-                szFileName[17] = 'k';
-                kfp = fopen (szFileName, "w");
-                chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+		int fd;
+		snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterk_%d.bmp.XXXXXX", current_page_number);
+		fd = mkstemp (szFileName);
+		if (fd != -1)
+		    kfp = fdopen (fd, "w");
             }
 
             WriteBMPHeader (cfp, cups_header.cupsWidth, cups_header.cupsHeight, COLOR_RASTER);
diff -up hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/SystemServices.cpp
--- hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200	2012-04-10 09:32:37.000000000 +0100
+++ hplip-3.12.4/prnt/hpcups/SystemServices.cpp	2013-01-22 10:57:34.088541545 +0000
@@ -36,10 +36,12 @@ SystemServices::SystemServices(int iLogL
     m_fp = NULL;
     if (iLogLevel & SAVE_PCL_FILE)
     {
+	int	fd;
         char    fname[32];
-        sprintf(fname, "/tmp/hpcups_job%d.out", job_id);
-        m_fp = fopen(fname, "w");
-        chmod(fname, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        sprintf(fname, "/tmp/hpcups_job%d.out.XXXXXX", job_id);
+	fd = mkstemp (fname);
+	if (fd != -1)
+	    m_fp = fdopen(fd, "w");
     }
 }
 
diff -up hplip-3.12.4/prnt/hpijs/hpijs.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpijs/hpijs.cpp
--- hplip-3.12.4/prnt/hpijs/hpijs.cpp.CVE-2013-0200	2013-01-22 10:57:12.219455275 +0000
+++ hplip-3.12.4/prnt/hpijs/hpijs.cpp	2013-01-22 10:57:34.089541549 +0000
@@ -96,13 +96,12 @@ void setLogLevel(UXServices *pSS)
 
     if (pSS->m_iLogLevel & SAVE_PCL_FILE)
     {
+	int	fd;
         char    szFileName[32];
-	sprintf (szFileName, "/tmp/hpijs_%d.out", getpid());
-	pSS->outfp = fopen (szFileName, "w");
-	if (pSS->outfp)
-	{
-	    chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
-	}
+	sprintf (szFileName, "/tmp/hpijs_%d.out.XXXXXX", getpid());
+	fd = mkstemp (szFileName);
+	if (fd != -1)
+	    pSS->outfp = fdopen (fd, "w");
     }
 }
 
diff -up hplip-3.12.4/prnt/hpps/hppsfilter.c.CVE-2013-0200 hplip-3.12.4/prnt/hpps/hppsfilter.c
--- hplip-3.12.4/prnt/hpps/hppsfilter.c.CVE-2013-0200	2012-04-10 09:32:37.000000000 +0100
+++ hplip-3.12.4/prnt/hpps/hppsfilter.c	2013-01-22 10:57:34.089541549 +0000
@@ -92,10 +92,12 @@ void open_dbg_outfile(char* szjob_id)
     g_fp_outdbgps = NULL;
     if (g_savepsfile & SAVE_PS_FILE)
     {
+	int	fd;
         char    sfile_name[FILE_NAME_SIZE] = {0};
-        sprintf(sfile_name, DBG_PSFILE, szjob_id);
-        g_fp_outdbgps= fopen(sfile_name, "w");
-        chmod(sfile_name, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        sprintf(sfile_name, DBG_PSFILE ".XXXXXX", szjob_id);
+	fd = mkstemp (sfile_name);
+	if (fd != -1)
+	    g_fp_outdbgps = fdopen(fd, "w");
     }
 }

--- End Message ---

--- Begin Message ---

Source: hplip
Source-Version: 3.12.6-3.1

We believe that the bug you reported is fixed in the latest version of
hplip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramac...@debian.org> (supplier of updated hplip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Mar 2013 18:21:48 +0100
Source: hplip
Binary: hplip hplip-data printer-driver-postscript-hp hplip-gui hplip-dbg 
hplip-doc hpijs-ppds hpijs printer-driver-hpijs hplip-cups 
printer-driver-hpcups libhpmud0 libhpmud-dev libsane-hpaio
Architecture: source amd64 all
Version: 3.12.6-3.1
Distribution: unstable
Urgency: high
Maintainer: Debian HPIJS and HPLIP maintainers 
<pkg-hpijs-de...@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramac...@debian.org>
Description: 
 hpijs      - transitional dummy package for hpijs printer driver
 hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files
 hplip      - HP Linux Printing and Imaging System (HPLIP)
 hplip-cups - transitional dummy package for hpcups printer driver
 hplip-data - HP Linux Printing and Imaging - data files
 hplip-dbg  - HP Linux Printing and Imaging - debugging information
 hplip-doc  - HP Linux Printing and Imaging - documentation
 hplip-gui  - HP Linux Printing and Imaging - GUI utilities (Qt-based)
 libhpmud-dev - HP Multi-Point Transport Driver (hpmud) development libraries
 libhpmud0  - HP Multi-Point Transport Driver (hpmud) run-time libraries
 libsane-hpaio - HP SANE backend for multi-function peripherals
 printer-driver-hpcups - HP Linux Printing and Imaging - CUPS Raster driver 
(hpcups)
 printer-driver-hpijs - HP Linux Printing and Imaging - gs IJS driver (hpijs)
 printer-driver-postscript-hp - HP Printers PostScript Descriptions
Closes: 701185
Changes: 
 hplip (3.12.6-3.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches/CVE-2013-0200.patch: Fix CVE-2013-0200 by applying the
     patch from Red Hat. Additionally increase the buffers to mitigate an
     regression and a buffer overflow. (Closes: #701185)
Checksums-Sha1: 
 78170246ffff1638f8b5bcf616969151875d2699 3052 hplip_3.12.6-3.1.dsc
 d6d23cd68c3f7cc12c4052c4e15bfc9500f66c10 306220 hplip_3.12.6-3.1.debian.tar.gz
 e66398384079ce6ca7a547c35875f11214b9f771 158698 hplip_3.12.6-3.1_amd64.deb
 38e44a69fee471d99cb5c74bc341119615717641 1497840 hplip-dbg_3.12.6-3.1_amd64.deb
 5d20a29f54639b2be7f0fcf5d5868554f60e139d 425866 
printer-driver-hpijs_3.12.6-3.1_amd64.deb
 c3efb7317dfc31f977de41be77f2e7da06ba5240 381338 
printer-driver-hpcups_3.12.6-3.1_amd64.deb
 a97573076b470927305b4aff35ecad0b3151c0df 180734 libhpmud0_3.12.6-3.1_amd64.deb
 cfc7039418959ca8381e04ba368f4b4bf0425184 77152 
libhpmud-dev_3.12.6-3.1_amd64.deb
 2cac57f747693cb75861eabbaa7d20459da1ab74 200846 
libsane-hpaio_3.12.6-3.1_amd64.deb
 a605bbe7fd1f3894e2f5745181d50311dda65c5d 6853812 hplip-data_3.12.6-3.1_all.deb
 4aca7b788cd5ad1a17894b87bc604f770446f0ee 788878 
printer-driver-postscript-hp_3.12.6-3.1_all.deb
 30a4493577a878c8439a9b80f2cd236e405a302b 87128 hplip-gui_3.12.6-3.1_all.deb
 60e79402b41470fed10af1f63d9dfbc9dfe05ada 673968 hplip-doc_3.12.6-3.1_all.deb
 85397b4b67ecaf84ce4ad0767109deeabf523e57 613078 hpijs-ppds_3.12.6-3.1_all.deb
 5a43b5e1e0e74c914be9800797a4fff7c67de787 72496 hpijs_3.12.6-3.1_all.deb
 2703fac78865683d40a61658b7ff76bc5f3f69c4 72500 hplip-cups_3.12.6-3.1_all.deb
Checksums-Sha256: 
 4dea5c11b60cfd499f85d62092581e14153601547621e04ddb28849443d6e4a2 3052 
hplip_3.12.6-3.1.dsc
 36d91837e905874c8c18bfc1b1473f4dbe91c111004370fb4dadfbf306955952 306220 
hplip_3.12.6-3.1.debian.tar.gz
 5f59dbca3dd715bc4f771e6cd9e1d2e0e442e14ec99c0431db9d7881c5b8f381 158698 
hplip_3.12.6-3.1_amd64.deb
 5eb96f06d3e4e3fc1bc2c986d1885815c17bfa4fc4f3a226699727e227db9065 1497840 
hplip-dbg_3.12.6-3.1_amd64.deb
 5be6707943a06e1acaef1f732ab1bfe027fc09f15ae16e944b11b9187da9afb1 425866 
printer-driver-hpijs_3.12.6-3.1_amd64.deb
 ff00ff0baa1c45d2ac137e91ad9a4a12d83f1235210bd3f9b6de67d49766eaab 381338 
printer-driver-hpcups_3.12.6-3.1_amd64.deb
 5c44647f434a7e4bbccd92951e1fb2ab26b5e5fb264a69eed578092313ce39c8 180734 
libhpmud0_3.12.6-3.1_amd64.deb
 8612ba03cb672aa03843cf1c1ee23bfb2b1716c4057d6e9bad6f6d9cbb7b9347 77152 
libhpmud-dev_3.12.6-3.1_amd64.deb
 246373e0286378cf68c6cdeee75e7dda28fb7c4ebde8896d35896a041277d4b0 200846 
libsane-hpaio_3.12.6-3.1_amd64.deb
 9f12dc61f5b01f85898a7b3bdd68942d9e722bb0f127324e9962c3eacd71eaad 6853812 
hplip-data_3.12.6-3.1_all.deb
 26638b402444207d0f17b732acc3a1505b5b7a4d72fd4168b38e97a53410ec4a 788878 
printer-driver-postscript-hp_3.12.6-3.1_all.deb
 6f9a8b35f95475036c4ec6b5c16aaba0d610b15e55ded522b1a0a176c2d7a1dd 87128 
hplip-gui_3.12.6-3.1_all.deb
 b463fe173aa06f3149b338375cbd88df8e5070e462274aa3a5cc8f7def9f6831 673968 
hplip-doc_3.12.6-3.1_all.deb
 4393f372b38e103d0000111ff64574df7f20867601bcb537185f8611c347d4cb 613078 
hpijs-ppds_3.12.6-3.1_all.deb
 715831175ab16631c4ff0e5dd30314e77e0aaa6c080afde375cf7536b6955081 72496 
hpijs_3.12.6-3.1_all.deb
 f6eb1fa83cc200eb37a99bb0a5709cc87546a41416e8290f576e8668a45ef5e9 72500 
hplip-cups_3.12.6-3.1_all.deb
Files: 
 9a456ca1a1231ff444bc076dd4246dcc 3052 utils optional hplip_3.12.6-3.1.dsc
 04e666f229548336e3fe5e0e25e369f2 306220 utils optional 
hplip_3.12.6-3.1.debian.tar.gz
 54af9e45bddb6f46062c3810e3b2b258 158698 utils optional 
hplip_3.12.6-3.1_amd64.deb
 64d8834f290a5cf3bd4591f6a286c2a1 1497840 debug extra 
hplip-dbg_3.12.6-3.1_amd64.deb
 9a278921300c30aba8f7be9363bcd8bb 425866 text optional 
printer-driver-hpijs_3.12.6-3.1_amd64.deb
 85690721d407321f1a0316538f1e80f9 381338 text optional 
printer-driver-hpcups_3.12.6-3.1_amd64.deb
 486406528bf755dc0f588e2d0c6fb18b 180734 libs optional 
libhpmud0_3.12.6-3.1_amd64.deb
 eba02f778d94ba0a6ed40aa2a19baf43 77152 libdevel optional 
libhpmud-dev_3.12.6-3.1_amd64.deb
 156eb72d6c5109ea24d7efbc44f7c1ac 200846 libs optional 
libsane-hpaio_3.12.6-3.1_amd64.deb
 e07a6d46c2cebbc96c5ed0441679ad08 6853812 utils optional 
hplip-data_3.12.6-3.1_all.deb
 07e92cc00edb026b940a3c972c3fa023 788878 utils optional 
printer-driver-postscript-hp_3.12.6-3.1_all.deb
 c9f699d71788233418f0f76e0f217c1a 87128 utils optional 
hplip-gui_3.12.6-3.1_all.deb
 7b54d6b99f3dcbf9714c113dc51ff8ef 673968 doc optional 
hplip-doc_3.12.6-3.1_all.deb
 b6700c3ba8ee403dbd32b03e81c84b85 613078 utils optional 
hpijs-ppds_3.12.6-3.1_all.deb
 31f090843d1275fec8dccba5f23f1582 72496 oldlibs extra hpijs_3.12.6-3.1_all.deb
 ca83336ffd6c6a5dd7754ecd5bdd5c72 72500 oldlibs extra 
hplip-cups_3.12.6-3.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRMO7bAAoJEGny/FFupxmT5owP/0u5s6G20e45AucspdB4jD3K
xqW1vkI8pf5MWMUVXf52MKz5Ut57wPfxdvHUI2al5Ix5/3yh4eT24BkuMF4+5l+a
1DrsV2vjZb0Vp311qkVV2WgswA2pJOnc5HyLAWlLjL66ANYzv2y/ZsfV3wKMBYzJ
KbFfeQJvHap5jK2kqA+9CgsFZM6tj82amR4aCwFnyJuAPzvQKpppeVxoI1wpplbH
JOdeZJz6EvKRUWbpDrW2G41ofv3yv2dqjrBRUNyGLWwpPLybgAMOBRSSxYE6BNsC
6xWhOiPGt3z9i9S6fdggYR8xxyMU7/XIrPrszpXP4GGcOzJBsDh6n0U6BcfLxvSO
/9Nb3V7QsgFu+vYyMIaR13PbPdeljO8gGgj5vEWEd4ByKlrgChSOk7j3dUiEm0MP
WpQ9a166/QuAkFe331f9LZUEpj8zILnvJ1AVBMEblsDPJ7eXxe5/vHG/GNG33f2T
o75tz3lisHLFUqlNxuHQ/wETtr6NOnoBWtipGTTab3ydV5cj33vWjNQkQPmFOwu4
4WLMzRraHngbwEaVCK3jTB2at0hm7R6fjvpYrWk1TXt0GRaj5Ms9152uXS3Vxgw0
xOOSVlxhg4dQbclOcWFhLEOKALusfo06IBTwN8JN4gvJmzJwKPUUHEUEjg61eG/4
ro8IK9UhJWgMq0xD8doC
=t6WX
-----END PGP SIGNATURE-----

--- End Message ---

Bug#701185: marked as done (CVE-2013-0200: Insecure temporary files)

Reply via email to