Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 201042 - net-print/cups < 1.2.12-r4 insecure temporary file creation in pdftops (CVE-2007-6358)
Summary: net-print/cups < 1.2.12-r4 insecure temporary file creation in pdftops (CVE-2...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2007-12-03 00:32 UTC by Elias Pipping (RETIRED)
Modified: 2007-12-18 22:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

pdftops-1.20 (pdftops-1.20,10.19 KB, text/plain)
2007-12-03 17:15 UTC, Robert Buchholz (RETIRED)
no flags Details
pdftops-1.10-1.20.patch (pdftops-1.10-1.20.patch,1.51 KB, patch)
2007-12-06 17:10 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Elias Pipping (RETIRED) gentoo-dev 2007-12-03 00:32:07 UTC
files/ uses insecurely created files in /tmp, same kind of issue than bug #198231.

the offending line (90) is:

my $tmpfile = $ENV{TMPDIR} . "pdfin.$$.tmp";
Comment 1 Elias Pipping (RETIRED) gentoo-dev 2007-12-03 00:32:37 UTC
remove leftover from cloning a bug
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-12-03 00:49:04 UTC
This problem lies not within CUPS' pdftops filter, but in our alternative filter which is credited as follows. I'll try to contact the author about this.

# - wrapper script for xpdf's pdftops utility to act as a CUPS filter
# ==============================================================================
# 1.00 - 2004-10-05/Bl
#	Initial implementation
# Copyright: Helge Blischke / SRZ Berlin 2004
# This program is free seoftware and governed by the GNU Public License Version 2.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-03 17:15:09 UTC
Upstream provided a new version.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-03 17:15:26 UTC
Created attachment 137630 [details]
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-12-03 17:25:19 UTC
The temporary file is created when reading a PDF file from stdin. Does CUPS use the filter this way, or is it handing over a local file?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 17:52:00 UTC
On my cups installation, the cupsd saves PDF files to print in /var/spool/cups/ and calls pdftops with that file as a paramater:

22844 execve("/usr/libexec/cups/filter/pdftops", ["null"..., "18"..., "rbu"..., "gentoo-bash.pdf"..., "1"..., "job-uuid=urn:uuid:d2f67463-b293-"..., "/var/spool/cups/d00018-002"...], [/* 24 vars */] <unfinished ...>

Under what circumstances would it call the filter via stdin?
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-12-06 16:22:31 UTC
More details: Filename pattern $TMPDIR/pdfin.$$.tmp
privileges: "lp" user

This vulnerability appears when more than one filter is triggered in 
CUPS (i.e. you print an XML file and have an XML->PDF and PDF-PS 
converter), because if you only convert PDF to PS, cups will hand over 
the pdf file in "/var/spool" via filename, pdftops will not use its 
stdin code.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-12-06 16:23:16 UTC
printing, please bump with the new version.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-12-06 17:10:05 UTC
Created attachment 137890 [details, diff]

patch from 1.10 to 1.20
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-12-18 21:35:33 UTC
This will be GLSA'd with bug 201570.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-12-18 22:29:31 UTC
GLSA 200712-14, thanks everyone.