Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379559 (CVE-2011-2697) - <net-print/foomatic-filters-4.0.9: Command Injection Vulnerability (CVE-2011-{2697,2964})
Summary: <net-print/foomatic-filters-4.0.9: Command Injection Vulnerability (CVE-2011-...
Status: RESOLVED FIXED
Alias: CVE-2011-2697
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/45196/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: 325523
  Show dependency tree
 
Reported: 2011-08-17 11:05 UTC by Agostino Sarubbo
Modified: 2012-03-06 02:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-17 11:05:39 UTC
he vulnerability is caused due to the foomatic-rip utility allowing users to specify a malicious PPD file, which can be exploited to inject and execute arbitrary commands.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-08-20 02:52:50 UTC
Looks like upstream bug is at: https://bugzilla.novell.com/show_bug.cgi?id=698451
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:56:08 UTC
CVE-2011-2964 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2964):
  foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6 allows
  remote attackers to execute arbitrary code via a crafted
  *FoomaticRIPCommandLine field in a .ppd file, a different vulnerability than
  CVE-2011-2697.

CVE-2011-2697 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2697):
  foomatic-rip-hplip in HP Linux Imaging and Printing (HPLIP) 3.11.5 allows
  remote attackers to execute arbitrary code via a crafted
  *FoomaticRIPCommandLine field in a .ppd file.
Comment 3 Justin Lecher gentoo-dev 2012-01-17 13:57:02 UTC
I just added version 4.0.9 which should contain the fix according to the novell bug.
Comment 4 Justin Lecher gentoo-dev 2012-01-17 13:58:06 UTC
From the ChangeLog

	* foomaticrip.c: SECURITY FIX: It was possible to make CUPS executing
	  arbitrary commands as the system user "lp" when foomatic-rip was
	  used as CUPS filter. Fixed by not parsing named options (like
	  "--ppd lj.ppd") when foomatic-rip is running as CUPS filter, as
	  CUPS does not supply named options to their filters.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-01-18 07:36:15 UTC
Thanks, Justin. This looks to be a big jump (based on nothing other than version numbers). Are we ok to stabilize 4.0.9?
Comment 6 Justin Lecher gentoo-dev 2012-01-18 07:39:03 UTC
I cannot really judge this. I added the package yesterday. Other distros e.g. suse use this version in their stable releases. So probably yes.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-01-18 07:41:22 UTC
(In reply to comment #6)
> I cannot really judge this. I added the package yesterday. Other distros e.g.
> suse use this version in their stable releases. So probably yes.

Ok, let's go for it.

Arches, please test and mark stable:
=net-print/foomatic-filters-4.0.9
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 8 Andreas K. Hüttel gentoo-dev 2012-01-18 09:55:30 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > I cannot really judge this. I added the package yesterday. Other distros e.g.
> > suse use this version in their stable releases. So probably yes.
> 
> Ok, let's go for it.
> 
> Arches, please test and mark stable:
> =net-print/foomatic-filters-4.0.9
> Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

I can't really judge this either, but since it's kinda urgent, I suggest you proceed. So, ack from printing.
Comment 9 Agostino Sarubbo gentoo-dev 2012-01-18 11:42:38 UTC
amd64 stable
Comment 10 Tobias Klausmann gentoo-dev 2012-01-18 12:13:07 UTC
Stable on alpha.
Comment 11 Jeroen Roovers gentoo-dev 2012-01-18 20:00:31 UTC
Stable for HPPA.
Comment 12 Thomas Kahle (RETIRED) gentoo-dev 2012-01-20 10:52:29 UTC
x86 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2012-01-22 15:00:53 UTC
ia64/m68k/s390/sh/sparc stable
Comment 14 Brent Baude (RETIRED) gentoo-dev 2012-02-01 17:02:35 UTC
ppc done
Comment 15 Brent Baude (RETIRED) gentoo-dev 2012-03-02 21:28:52 UTC
ppc64 done
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2012-03-02 22:30:17 UTC
Thanks, folks. Already part of draft GLSA.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 02:06:03 UTC
This issue was resolved and addressed in
 GLSA 201203-07 at http://security.gentoo.org/glsa/glsa-201203-07.xml
by GLSA coordinator Sean Amoss (ackle).