Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 201042

Summary: net-print/cups < 1.2.12-r4 insecure temporary file creation in pdftops (CVE-2007-6358)
Product: Gentoo Security Reporter: Elias Pipping (RETIRED) <pipping>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: printing
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.cups.org/articles.php?L515
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
pdftops-1.20
none
pdftops-1.10-1.20.patch none

Description Elias Pipping (RETIRED) gentoo-dev 2007-12-03 00:32:07 UTC 
files/pdftops.pl uses insecurely created files in /tmp, same kind of issue than bug #198231.

the offending line (90) is:

my $tmpfile = $ENV{TMPDIR} . "pdfin.$$.tmp";
Comment 1 Elias Pipping (RETIRED) gentoo-dev 2007-12-03 00:32:37 UTC 
remove leftover from cloning a bug
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-12-03 00:49:04 UTC 
This problem lies not within CUPS' pdftops filter, but in our alternative filter which is credited as follows. I'll try to contact the author about this.


# pdftops.pl - wrapper script for xpdf's pdftops utility to act as a CUPS filter
# ==============================================================================
# 1.00 - 2004-10-05/Bl
#	Initial implementation
#
# Copyright: Helge Blischke / SRZ Berlin 2004
# This program is free seoftware and governed by the GNU Public License Version 2.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-03 17:15:09 UTC 
Upstream provided a new version.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-03 17:15:26 UTC 
Created attachment 137630 [details]
pdftops-1.20
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-12-03 17:25:19 UTC 
The temporary file is created when reading a PDF file from stdin. Does CUPS use the filter this way, or is it handing over a local file?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 17:52:00 UTC 
On my cups installation, the cupsd saves PDF files to print in /var/spool/cups/ and calls pdftops with that file as a paramater:

22844 execve("/usr/libexec/cups/filter/pdftops", ["null"..., "18"..., "rbu"..., "gentoo-bash.pdf"..., "1"..., "job-uuid=urn:uuid:d2f67463-b293-"..., "/var/spool/cups/d00018-002"...], [/* 24 vars */] <unfinished ...>

Under what circumstances would it call the filter via stdin?
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-12-06 16:22:31 UTC 
More details: Filename pattern $TMPDIR/pdfin.$$.tmp
privileges: "lp" user

This vulnerability appears when more than one filter is triggered in 
CUPS (i.e. you print an XML file and have an XML->PDF and PDF-PS 
converter), because if you only convert PDF to PS, cups will hand over 
the pdf file in "/var/spool" via filename, pdftops will not use its 
stdin code.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-12-06 16:23:16 UTC 
printing, please bump with the new version.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-12-06 17:10:05 UTC 
Created attachment 137890 [details, diff]
pdftops-1.10-1.20.patch

patch from 1.10 to 1.20
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-12-18 21:35:33 UTC 
This will be GLSA'd with bug 201570.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-12-18 22:29:31 UTC 
GLSA 200712-14, thanks everyone.