Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 452586 (CVE-2012-6108) - <net-print/hplip-3.13.2-r1: /var/log/hp/ contains world writable directory (CVE-2012-6108)
Summary: <net-print/hplip-3.13.2-r1: /var/log/hp/ contains world writable directory (C...
Status: RESOLVED FIXED
Alias: CVE-2012-6108
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-16 17:50 UTC by Agostino Sarubbo
Modified: 2014-04-28 19:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-16 17:50:28 UTC 
From $URL :

It was found that /var/log/hp and /var/log/hp/tmp are both world-writeable in hplip 3.12.x. This 
flaw could be used to delete log files from the /var/log/hp directory. 

Because of these open permissions, an attacker could also conduct symlink attack on 
/var/log/hp/tmp/hpijs_*.out to overwrite an arbitrary file with the privileges of the process 
running the HP CUPS fax filter.

This flaw has been assigned CVE-2012-6108.
Comment 1 Daniel Pielmeier gentoo-dev 2013-02-21 19:11:40 UTC 
It seems that this only affects hplip-3.12.11. For hplip-3.12.10a and hplip-3.13.2 the mentioned directories are not world-writable.

hplip-3.12.10a
drwxrwxr-x  3 root lp   4096 21. Feb 19:10 .
drwxr-xr-x 13 root root 4096 21. Feb 19:10 ..
drwxrwxr-t  2 root lp   4096 21. Feb 19:10 tmp

hplip-3.12.11
drwxrwxrwx  3 root lp   4096 21. Feb 19:17 .
drwxr-xr-x 13 root root 4096 21. Feb 19:17 ..
drwxrwxrwt  2 root lp   4096 21. Feb 19:17 tmp

hplip-3.13.2
drwxrwxr--  3 root lp   4096 21. Feb 19:24 .
drwxr-xr-x 13 root root 4096 21. Feb 19:24 ..
drwxrwxr-T  2 root lp   4096 21. Feb 19:24 tmp

I have removed the vulnerable version however updating from hplip-3.12.11 to hplip-3.13.2 does not change the permissions as they are only correct for a new install without /var/log/hp being present. To ensure correct permissions when upgrading I have added hplip-3.13.2-r1 which removes /var/tmp/hp in pgk_preinst.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-23 19:08:07 UTC 
(In reply to comment #1)

Thanks, Daniel! Is hplip-3.13.2-r1 ready for stabilization?
Comment 3 Daniel Pielmeier gentoo-dev 2013-02-24 11:20:07 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> 
> Thanks, Daniel! Is hplip-3.13.2-r1 ready for stabilization?

We can stabilize hplip-3.13.2-r1, but do we have to? Current stable is hplip-3.12.10a which is fine and the only vulnerable version in tree is gone. Am I missing something?
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-24 12:39:29 UTC 
(In reply to comment #1)
> For hplip-3.12.10a and
> hplip-3.13.2 the mentioned directories are not world-writable.

Ah, I went over that part too quickly. 

Closing noglsa for ~arch only issue.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:49:00 UTC 
CVE-2012-6108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6108):
  HP Linux Imaging and Printing (HPLIP) before 3.13.2 uses world-writable
  permissions for /var/log/hp and /var/log/hp/tmp, which allows local users to
  delete log files via standard filesystem operations.