Your message dated Sat, 09 Mar 2013 01:03:25 +0000 with message-id <E1UE8C5-0000ef-A0@franck.debian.org> and subject line Bug#701185: fixed in hplip 3.13.3-1 has caused the Debian Bug report #701185, regarding CVE-2013-0200: Insecure temporary files to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 701185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701185 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: CVE-2013-0200: Insecure temporary files
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Fri, 22 Feb 2013 15:15:13 +0100
- Message-id: <20130222141512.12046.52556.reportbug@m25s06.vlinux.de>
Package: hplip Severity: grave Tags: security Justification: user security hole Several further insecurely handled temporary files were discovered by Red Hat: https://www.redhat.com/archives/enterprise-watch-list/2013-February/msg00024.html I've extracted the patch from the RHEL update, it's attached to this mail. Cheers, Moritzdiff -up hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp --- hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp.CVE-2013-0200 2013-01-22 10:57:13.651460928 +0000 +++ hplip-3.12.4/prnt/hpcups/HPCupsFilter.cpp 2013-01-22 10:57:34.087541538 +0000 @@ -637,19 +637,22 @@ int HPCupsFilter::processRasterData(cups { char szFileName[32]; memset(szFileName, 0, sizeof(szFileName)); - snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp", current_page_number); + snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp.XXXXXX", current_page_number); if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW || cups_header.cupsColorSpace == CUPS_CSPACE_RGB) { - cfp = fopen (szFileName, "w"); - chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + int fd = mkstemp (szFileName); + if (fd != -1) + cfp = fdopen (fd, "w"); } if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW || cups_header.cupsColorSpace == CUPS_CSPACE_K) { - szFileName[17] = 'k'; - kfp = fopen (szFileName, "w"); - chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + int fd; + snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterk_%d.bmp.XXXXXX", current_page_number); + fd = mkstemp (szFileName); + if (fd != -1) + kfp = fdopen (fd, "w"); } WriteBMPHeader (cfp, cups_header.cupsWidth, cups_header.cupsHeight, COLOR_RASTER); diff -up hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpcups/SystemServices.cpp --- hplip-3.12.4/prnt/hpcups/SystemServices.cpp.CVE-2013-0200 2012-04-10 09:32:37.000000000 +0100 +++ hplip-3.12.4/prnt/hpcups/SystemServices.cpp 2013-01-22 10:57:34.088541545 +0000 @@ -36,10 +36,12 @@ SystemServices::SystemServices(int iLogL m_fp = NULL; if (iLogLevel & SAVE_PCL_FILE) { + int fd; char fname[32]; - sprintf(fname, "/tmp/hpcups_job%d.out", job_id); - m_fp = fopen(fname, "w"); - chmod(fname, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + sprintf(fname, "/tmp/hpcups_job%d.out.XXXXXX", job_id); + fd = mkstemp (fname); + if (fd != -1) + m_fp = fdopen(fd, "w"); } } diff -up hplip-3.12.4/prnt/hpijs/hpijs.cpp.CVE-2013-0200 hplip-3.12.4/prnt/hpijs/hpijs.cpp --- hplip-3.12.4/prnt/hpijs/hpijs.cpp.CVE-2013-0200 2013-01-22 10:57:12.219455275 +0000 +++ hplip-3.12.4/prnt/hpijs/hpijs.cpp 2013-01-22 10:57:34.089541549 +0000 @@ -96,13 +96,12 @@ void setLogLevel(UXServices *pSS) if (pSS->m_iLogLevel & SAVE_PCL_FILE) { + int fd; char szFileName[32]; - sprintf (szFileName, "/tmp/hpijs_%d.out", getpid()); - pSS->outfp = fopen (szFileName, "w"); - if (pSS->outfp) - { - chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); - } + sprintf (szFileName, "/tmp/hpijs_%d.out.XXXXXX", getpid()); + fd = mkstemp (szFileName); + if (fd != -1) + pSS->outfp = fdopen (fd, "w"); } } diff -up hplip-3.12.4/prnt/hpps/hppsfilter.c.CVE-2013-0200 hplip-3.12.4/prnt/hpps/hppsfilter.c --- hplip-3.12.4/prnt/hpps/hppsfilter.c.CVE-2013-0200 2012-04-10 09:32:37.000000000 +0100 +++ hplip-3.12.4/prnt/hpps/hppsfilter.c 2013-01-22 10:57:34.089541549 +0000 @@ -92,10 +92,12 @@ void open_dbg_outfile(char* szjob_id) g_fp_outdbgps = NULL; if (g_savepsfile & SAVE_PS_FILE) { + int fd; char sfile_name[FILE_NAME_SIZE] = {0}; - sprintf(sfile_name, DBG_PSFILE, szjob_id); - g_fp_outdbgps= fopen(sfile_name, "w"); - chmod(sfile_name, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + sprintf(sfile_name, DBG_PSFILE ".XXXXXX", szjob_id); + fd = mkstemp (sfile_name); + if (fd != -1) + g_fp_outdbgps = fdopen(fd, "w"); } }
--- End Message ---
--- Begin Message ---
- To: 701185-close@bugs.debian.org
- Subject: Bug#701185: fixed in hplip 3.13.3-1
- From: Mark Purcell <msp@debian.org>
- Date: Sat, 09 Mar 2013 01:03:25 +0000
- Message-id: <E1UE8C5-0000ef-A0@franck.debian.org>
Source: hplip Source-Version: 3.13.3-1 We believe that the bug you reported is fixed in the latest version of hplip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 701185@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mark Purcell <msp@debian.org> (supplier of updated hplip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 09 Mar 2013 11:29:44 +1100 Source: hplip Binary: hplip hplip-data printer-driver-postscript-hp hplip-gui hplip-dbg hplip-doc hpijs-ppds hpijs printer-driver-hpijs hplip-cups printer-driver-hpcups libhpmud0 libhpmud-dev libsane-hpaio Architecture: source amd64 all Version: 3.13.3-1 Distribution: experimental Urgency: low Maintainer: Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org> Changed-By: Mark Purcell <msp@debian.org> Description: hpijs - transitional dummy package for hpijs printer driver hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files hplip - HP Linux Printing and Imaging System (HPLIP) hplip-cups - transitional dummy package for hpcups printer driver hplip-data - HP Linux Printing and Imaging - data files hplip-dbg - HP Linux Printing and Imaging - debugging information hplip-doc - HP Linux Printing and Imaging - documentation hplip-gui - HP Linux Printing and Imaging - GUI utilities (Qt-based) libhpmud-dev - HP Multi-Point Transport Driver (hpmud) development libraries libhpmud0 - HP Multi-Point Transport Driver (hpmud) run-time libraries libsane-hpaio - HP SANE backend for multi-function peripherals printer-driver-hpcups - HP Linux Printing and Imaging - CUPS Raster driver (hpcups) printer-driver-hpijs - HP Linux Printing and Imaging - gs IJS driver (hpijs) printer-driver-postscript-hp - HP Printers PostScript Descriptions Closes: 690362 701185 Changes: hplip (3.13.3-1) experimental; urgency=low . * New Upstream Release - Fixes CVE-2013-0200 (Closes: #701185) - Fixes "hp-check does not find installed Xsane" (Closes: #690362) * Ack NMU - Thanks Sebastian Ramacher Checksums-Sha1: 6358892c70b481aa1f987dc6223ff72648ea07bb 2404 hplip_3.13.3-1.dsc e571cfac1a30c947b3526de691cbe3cf31590bfb 21685109 hplip_3.13.3.orig.tar.gz 993da7c862cdc05ddd8494a80f803156aa79ab90 106978 hplip_3.13.3-1.debian.tar.gz aadb81cc73045a9104c636a26ec3c86279b5a9dc 163046 hplip_3.13.3-1_amd64.deb 619ba81857d49bf06da6d8af8b1d88c821fc9ec4 1516656 hplip-dbg_3.13.3-1_amd64.deb 768796876f7af78747aeb7407c336d5b5a592a72 429946 printer-driver-hpijs_3.13.3-1_amd64.deb 5be2855ce5130ab2eb8e52b3fe30ecf6f1615eca 386640 printer-driver-hpcups_3.13.3-1_amd64.deb 40f28eae50f6f76ceb28fc280ad170c32c790ce8 184240 libhpmud0_3.13.3-1_amd64.deb 734066c174d6299514db2cb9718b560b07dea29e 78214 libhpmud-dev_3.13.3-1_amd64.deb 7b887593788826a135c8af6570f97778b3f0e13b 208146 libsane-hpaio_3.13.3-1_amd64.deb 184b2be9be9453791b5f8609076d897459f146f5 6893866 hplip-data_3.13.3-1_all.deb 3adf1e8d7050b396b8154515364e1c10b2f3d058 956816 printer-driver-postscript-hp_3.13.3-1_all.deb e01aee290f9ba36296c740df018aba1c244268dc 89978 hplip-gui_3.13.3-1_all.deb 7599deb4d7f226dbad571cc3345a9846e0d1f7fa 677036 hplip-doc_3.13.3-1_all.deb ca3dfe011088f41cff906ce60108f7a2d605d421 698336 hpijs-ppds_3.13.3-1_all.deb befffbe2ffec2e51b90b95ad777027358e0842df 73656 hpijs_3.13.3-1_all.deb 054a34d7cfa1f81c3f1c82714eb2a7627cc9abf8 73668 hplip-cups_3.13.3-1_all.deb Checksums-Sha256: 76c827617449ce35e1ea2469928e512be97cee1ede8b3086418ea0bcdd6c8936 2404 hplip_3.13.3-1.dsc 36e590b06f3810c13cfba7721f0a75b3d3f0133a7d62312d5d25864fa6d94366 21685109 hplip_3.13.3.orig.tar.gz 0ef02c226770d61856de2db8c4c2622e832e4753e07711f5c4a7cc4896bfc153 106978 hplip_3.13.3-1.debian.tar.gz befc0cdf0e2378758983bed2a3eed055c8beff6bcf0037541fbf94dedb48ba31 163046 hplip_3.13.3-1_amd64.deb 159cc67c77d6520bf3010c890ee2e10c408986d5b9d99a242a4836fe815723cf 1516656 hplip-dbg_3.13.3-1_amd64.deb 0bbd84489ea489ebf737f3e3e6b2ca6ceacd897a4792b1bd163d788b3e8e8dc8 429946 printer-driver-hpijs_3.13.3-1_amd64.deb be629b20b042f4eeba4f03a48d36b3dc3f38d94badaea2afcdad9712eb845c81 386640 printer-driver-hpcups_3.13.3-1_amd64.deb 13296f11dcabff75859e2b559c97b046c39a7b697dc6b5d017a3fe68c88265f3 184240 libhpmud0_3.13.3-1_amd64.deb ce90846f284d6230bf8c28cdd80cf38d5380ec9a8ae1af24dc1d2a7b609ffea2 78214 libhpmud-dev_3.13.3-1_amd64.deb 859fc8fe0eff559b1a9525e17e9ac85d4368bff4eb648f03d99385f12fa7005e 208146 libsane-hpaio_3.13.3-1_amd64.deb aae9116dcec2eb5c123a61e69da546d5604e7c53f0aad6ef04fcf58dc69d40ec 6893866 hplip-data_3.13.3-1_all.deb 9f1bcec5486186e138a0df76bbcc97a15314c56f04f95bb19508db4bbb28e3f6 956816 printer-driver-postscript-hp_3.13.3-1_all.deb 98df6a04c529869f99f7b88563bd838debd7e21f1d5ad6be9293aac8e812b35d 89978 hplip-gui_3.13.3-1_all.deb 970050aa45d9c54f8136e721b3a1680abd3af67df1f18ef48b103ff8086afa2e 677036 hplip-doc_3.13.3-1_all.deb 6b293141f5b3d18baaa6ad34db8f5aef83f8650dde44647187a9ffb81bb028db 698336 hpijs-ppds_3.13.3-1_all.deb 1733e17b265c054822db046ecd71ab9551db43628eace62680a20528204fc5f8 73656 hpijs_3.13.3-1_all.deb 1dcb4c2684f81ad770275ebea182b729503ba31c2027768fdd71ad2ae2426b98 73668 hplip-cups_3.13.3-1_all.deb Files: e1cdd54c0497c07919367ddfb7e16fed 2404 utils optional hplip_3.13.3-1.dsc 4a378cc08f7a4f131968c0966c1ceb8c 21685109 utils optional hplip_3.13.3.orig.tar.gz 3b7cce05b1ae30ef8f6ab9cad79247a9 106978 utils optional hplip_3.13.3-1.debian.tar.gz 6aba2f3259629f5c2522b51a706663de 163046 utils optional hplip_3.13.3-1_amd64.deb bcd5773148a4623554d8cfe165794595 1516656 debug extra hplip-dbg_3.13.3-1_amd64.deb 359e6ffc5fc32938a805dd25c8386588 429946 text optional printer-driver-hpijs_3.13.3-1_amd64.deb 58f3c364e3469554278e19173a1dc41b 386640 text optional printer-driver-hpcups_3.13.3-1_amd64.deb b518957569aa1da9ab9f2785b7fbd68f 184240 libs optional libhpmud0_3.13.3-1_amd64.deb 572e59b5fb77adedf623df49002c7a8e 78214 libdevel optional libhpmud-dev_3.13.3-1_amd64.deb ed466aacdbaf4574bbc3e73366d51e85 208146 libs optional libsane-hpaio_3.13.3-1_amd64.deb 86ce3094193692e2725cebff6061eb03 6893866 utils optional hplip-data_3.13.3-1_all.deb ec9183a0c28eafb005ae52b442bc1a68 956816 utils optional printer-driver-postscript-hp_3.13.3-1_all.deb e80506bcc4995982f96bc47ec2ae742e 89978 utils optional hplip-gui_3.13.3-1_all.deb 918a0fa22d4329afca42a26df1ba82f9 677036 doc optional hplip-doc_3.13.3-1_all.deb 3330cdd3f7935d0bcd54225d5d66d77a 698336 utils optional hpijs-ppds_3.13.3-1_all.deb b3cc43de63fce9058e87fc29f8ddb667 73656 oldlibs extra hpijs_3.13.3-1_all.deb 53754844a4d827e350af1d95e62c8dde 73668 oldlibs extra hplip-cups_3.13.3-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlE6hKEACgkQoCzanz0IthKpIwCfX3OIjf6MWXOT8VEdDsrSI+mb xQwAn0OT9ACVn950zhJdq6BzKbndVik0 =HDDE -----END PGP SIGNATURE-----
--- End Message ---