REDHAT-BUG-725830
First published: Tue Jul 26 2011(Updated: )
A temporary file handling flaw was reported [1] in prnt/hpijs/hpcupsfax.cpp, the hplip HP CUPS filter. Because a predicatable temporary filename is used (/tmp/hpcupsfax.out), an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running the HP CUPS fax filter. 422 FILE *fp; 423 fp = NULL; 424 if (iLogLevel & SAVE_PCL_FILE) 425 { 426 fp = fopen ("/tmp/hpcupsfax.out", "w"); 427 system ("chmod 666 /tmp/hpcupsfax.out"); 428 } 429 while ((i = read (fdFax, pTmp, iSize)) > 0) 430 { 431 write (STDOUT_FILENO, pTmp, i); 432 if (iLogLevel & SAVE_PCL_FILE && fp) 433 { 434 fwrite (pTmp, 1, i, fp); 435 } 436 } 437 free (pTmp); This flaw only exists in hplip 3.x and is not present in earlier versions of hplip. [1] <a href="https://bugzilla.novell.com/show_bug.cgi?id=704608">https://bugzilla.novell.com/show_bug.cgi?id=704608</a> Statement: This issue did not affect the versions of hplip as shipped with Red Hat Enterprise Linux 5. A future update in Red Hat Enterprise Linux 5 (for hplip3) and 6 may address this flaw.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HPLIP (HP Linux Imaging and Printing) | >=3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.novell.com/show_bug.cgi?id=704608
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=725831
- http://www.openwall.com/lists/oss-security/2011/07/26/14
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=515866&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=515866&action=edit
- https://bugs.launchpad.net/hplip/+bug/809904
- http://hplipopensource.com/hplip-web/release_notes.html
- https://rhn.redhat.com/errata/RHSA-2013-0133.html
- https://rhn.redhat.com/errata/RHSA-2013-0500.html
- https://bugzilla.redhat.com/show_bug.cgi?id=725830
Frequently Asked Questions
What is the severity of REDHAT-BUG-725830?
The severity of REDHAT-BUG-725830 is considered to be high due to the potential for arbitrary file overwrites.
How do I fix REDHAT-BUG-725830?
To fix REDHAT-BUG-725830, update the HPLIP software to version 3.0 or higher, or apply the relevant security patch provided by HP.
What is the nature of the vulnerability in REDHAT-BUG-725830?
REDHAT-BUG-725830 is a temporary file handling flaw that allows for symlink attacks leading to arbitrary file overwrites.
Which software is affected by REDHAT-BUG-725830?
REDHAT-BUG-725830 affects the HP hplip software starting from version 3.0.
What kind of attacks can be executed due to REDHAT-BUG-725830?
Due to REDHAT-BUG-725830, attackers can execute symlink attacks to overwrite files with the privileges of the HP CUPS process.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-2722
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/hp
- canonical/hplip (hp linux imaging and printing)