Bugzilla – Bug 1214399
VUL-0: hplip: use of fixed temporary paths in hppsfilter.c
Last modified: 2024-01-04 10:26:10 UTC
+++ This bug was initially created as a clone of Bug #1213332 The program /usr/lib/cups/filter/hpps has some insecure fixed /tmp path use, found in prnt/hpps/hppsfilter.c: prnt/hpps/hppsfilter.c: sprintf(booklet_filename, "/tmp/%s.ps","booklet"); prnt/hpps/hppsfilter.c: sprintf(temp_filename, "/tmp/%s.ps","temp"); prnt/hpps/hppsfilter.c: sprintf(Nup_filename, "/tmp/%s.ps","NUP"); These are only used if "booklet printing" is enabled. The logic can be forced by invoking the program like this: /usr/lib/cups/filter/hpps some-job some-user some-title 10 HPBookletFilter=10,fitplot,Duplex=DuplexTumble,number-up=1 The program will expect data to print on stdin this way. Just typing in some garbage data and pressing ctrl-d will make it continue. There's a chance that it will segfault, since error returns are largely not checked in this program. There is also a `chmod()` on the /tmp/temp.ps file: hppsfilter.c:110 chmod(temp_filename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); The data to print (from stdin) is written to this file, and the file is also made world readable explicitly using this chmod(). The issues with this are multifold: - there is an information leak, since the print job data will become visible to everybody in the system. - there is violated data integrity, since other users can pre-create this file and manipulate the data to print. - it may allow to create files in unexpected places if the kernel's symlink protection is not around. - it may allow further unspecified impact if crafted data is placed into /tmp/temp.ps which is processed by the complex `PS_Booklet` function. I will not research further if this could lead to code execution. The issue is bad enough as it is. All three temporary file paths need to be replaced by safely created temporary files. I will approach upstream about this.
All right I shared the information on the launchpad bug tracker. I tagged it as security, which results in a private bug: https://bugs.launchpad.net/hplip/+bug/2032375 If some of you want to be added to the bug then tell me so, I should be able to add you. Supposedly this involves also some HP security people so lets see whether there is a timely reaction. Should nothing happen within two weeks then we can push a bit harder an publish at our own discretion if this still doesn't help.
When working actively with this code base it shows that these tmp file issues are only the worst part of its problems. That code is really in a sorry state, the compiler warnings alone are a mess. Anyway you can find a patch for the tmp file issues in attachment 869377 [details]. It's against the openSUSE:Factory version but I have hopes that the patch also applies to older versions. The patch compiles and I tested the patched Factory version on Tumbleweed a bit. The safe tmp file paths are correctly used and deleted again, and the program didn't crash any more often than it did before applying the patch.
(In reply to Matthias Gerstner from comment #18) > When working actively with this code base it shows that these tmp file issues > are only the worst part of its problems. That code is really in a sorry > state, > the compiler warnings alone are a mess. No objections from my side. > Anyway you can find a patch for the tmp file issues in attachment 869377 [details] > [details]. It's > against the openSUSE:Factory version but I have hopes that the patch also > applies to older versions. The patch compiles and I tested the patched > Factory > version on Tumbleweed a bit. The safe tmp file paths are correctly used and > deleted again, and the program didn't crash any more often than it did before > applying the patch. Thanks. The patch looks good to me. One nitpick: You could consider using atexit(cleanup_tempfiles()) to make sure no exit path is overlooked.
Created attachment 869534 [details] new version of the patch using atexit()
> Thanks. The patch looks good to me. One nitpick: You could consider using > atexit(cleanup_tempfiles()) to make sure no exit path is overlooked. I attached a new version of the patch that has this feature.
Thanks. IMO if you use atexit(), you don't need to all clean_tempfiles() from anywhere else. But as you've programmed the function such that it an be invoked multiple times without issues, I don't think that's a problem.
Sorry for the continued silence. The 90 days maximum embargo time we offer will be reached this week so I will publish the finding by the end of the week no matter what. You can already submit updates in IBS and prepare updates for OBS. I suggest to publish on Friday 2023-11-17.
Do we have a CVE number for our changelogs?
I've prepared submissions for SLE15-SP2, SP3, SP4. I didn't submit them yet because of the missing CVE number. I have submitted the current factory package to SLE15-SP6, and will add the patch there once it hits factory. hplip 3.16.11 in SLE12-SP5 doesn't support booklet mode yet, and thus doesn't need this patch.
(In reply to martin.wilck@suse.com from comment #28) > Do we have a CVE number for our changelogs? No there is no CVE, because HP upstream is a Mitre CNA and we are not allowed to circumvent them. Since they don't react there's nothing we can do. The bsc# reference will have to suffice.
I published the full report on the oss-security mailing list: https://www.openwall.com/lists/oss-security/2023/11/17/1 Thanks for working on the updates. If all updates have been submitted then please reassign the bug to security-team@suse.de. My colleagues will take care of closing the bug once all updates are released.
https://build.opensuse.org/request/show/1127274 SLE-15-SP6: https://build.suse.de/request/show/313016 Reassigning to security team per comment 34.
SUSE-SU-2023:4710-1: An update that has one security fix can now be installed. Category: security (moderate) Bug References: 1214399 Sources used: Basesystem Module 15-SP5 (src): hplip-3.21.10-150400.3.11.1 Desktop Applications Module 15-SP4 (src): hplip-3.21.10-150400.3.11.1 Desktop Applications Module 15-SP5 (src): hplip-3.21.10-150400.3.11.1 openSUSE Leap 15.4 (src): hplip-3.21.10-150400.3.11.1 openSUSE Leap 15.5 (src): hplip-3.21.10-150400.3.11.1 Basesystem Module 15-SP4 (src): hplip-3.21.10-150400.3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
upstream has silently added this patch in 3.23.12.