Bug 713717 (CVE-2011-2923)

Summary: VUL-1: CVE-2011-2923, CVE-2011-2924: foomatic (foomatic-filters): foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Weckbecker <mweckbecker>
Component: GeneralAssignee: Johannes Meixner <jsmeix>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: SUSE Other   
Whiteboard: maint:planned:update CVSSv2:NVD:CVE-2011-2923:3.3:(AV:L/AC:M/Au:N/C:N/I:P/A:P) CVSSv2:NVD:CVE-2011-2924:3.3:(AV:L/AC:M/Au:N/C:N/I:P/A:P) CVSSv2:RedHat:CVE-2011-2923:1.9:(AV:L/AC:M/Au:N/C:N/I:P/A:N) CVSSv3:NVD:CVE-2011-2923:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) CVSSv3:NVD:CVE-2011-2924:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) CVSSv2:RedHat:CVE-2011-2924:1.9:(AV:L/AC:M/Au:N/C:N/I:P/A:N) CVSSv3.1:NVD:CVE-2011-2923:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) CVSSv3.1:NVD:CVE-2011-2924:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matthias Weckbecker 2011-08-23 12:52:37 UTC 
Received over oss-security:

-----------------------------------------------------------------------
Hello Josh, Steve, vendors,

   by further investigation of hplip CVE-2011-2722 issue:
   [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2722

Tim Waugh noticed the similar issue being present also in foomatic-rip
universal print filter, when debug mode is enabled. Further details:

It was found that foomatic-rip filter used insecurely created temporary
file for storage of PostScript data by rendering the data, intended to 
be sent to the PostScript filter, when the debug mode was enabled. A 
local attacker could use this flaw to conduct symlink attacks (overwrite 
arbitrary file accessible with the privileges of the user running the 
foomatic-rip universal print filter).

Relevant source code part (Perl script part / foomatic-rip.in):
===============================================================
    100 my $logfile = "/tmp/foomatic-rip";
   ..
   3454  # In debug mode save the data supposed to be fed
           into the
   3455  # renderer also into a file
   3456  if ($debug) {
   3457    $commandline = "tee -a ${logfile}.ps | ( $commandline )";
   3458  }

Note: The $logfile variable declaration (line #100) is not an insecure
       temporary file use issue itself, since this danger (and its proper
       usage) is documented in /etc/foomatic/filters.conf file.

Relevant source code part (C script part / renderer.c):
========================================================
    436  /* Save the data supposed to be fed into the renderer
           also int        o a file*/
    437  dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( ");
    438  dstrcat(commandline, ")");
    439  }

Note: The LOG_FILE variable declaration by itself is not an insecure
       temporary file use, since this danger (and its proper usage)
       is documented in /etc/foomatic/filters.conf file.

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=726426

Credit: Issue discovered by Tim Waugh

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
-----------------------------------------------------------------------
Comment 1 Johannes Meixner 2011-09-21 09:10:11 UTC 
Because Swamp Workflow Management set it as "maint:planned:update"
I adjust the priority from "medium" to "low".
Comment 2 Johannes Meixner 2012-02-10 15:03:20 UTC 
Upgraded foomatic-filters to 4.0.9.242
which is a bugfix release that fixes this bug.

Submitted to OBS project "Printing" via submitrequest 103363

Should be automatically submitted to openSUSE:Factory according to
http://lists.opensuse.org/opensuse-packaging/2012-01/msg00191.html
Comment 3 SMASH SMASH 2015-12-02 11:01:29 UTC 
An update workflow for this issue was started.

This issue was rated as "low".
Please submit fixed packages until "Dec. 16, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121074/.
Comment 4 Swamp Workflow Management 2016-01-13 17:08:54 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-01-27.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62431
Comment 7 Marcus Meissner 2021-11-03 15:41:30 UTC 
i guess it is now fixed in all yet maitnained products.