REDHAT-BUG-725830

First published: Tue Jul 26 2011(Updated: )

A temporary file handling flaw was reported [1] in prnt/hpijs/hpcupsfax.cpp, the hplip HP CUPS filter. Because a predicatable temporary filename is used (/tmp/hpcupsfax.out), an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running the HP CUPS fax filter. 422 FILE *fp; 423 fp = NULL; 424 if (iLogLevel &amp; SAVE_PCL_FILE) 425 { 426 fp = fopen ("/tmp/hpcupsfax.out", "w"); 427 system ("chmod 666 /tmp/hpcupsfax.out"); 428 } 429 while ((i = read (fdFax, pTmp, iSize)) &gt; 0) 430 { 431 write (STDOUT_FILENO, pTmp, i); 432 if (iLogLevel &amp; SAVE_PCL_FILE &amp;&amp; fp) 433 { 434 fwrite (pTmp, 1, i, fp); 435 } 436 } 437 free (pTmp); This flaw only exists in hplip 3.x and is not present in earlier versions of hplip. [1] <a href="https://bugzilla.novell.com/show_bug.cgi?id=704608">https://bugzilla.novell.com/show_bug.cgi?id=704608</a> Statement: This issue did not affect the versions of hplip as shipped with Red Hat Enterprise Linux 5. A future update in Red Hat Enterprise Linux 5 (for hplip3) and 6 may address this flaw.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/references
• agent/type
• agent/last-modified-date
• agent/first-publish-date
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2011-2722
• agent/severity
• agent/description
• agent/event
• agent/trending
• agent/source
• agent/softwarecombine
• agent/tags
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/hp
• canonical/hewlett-packard hplip