Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 233959 (CVE-2008-2940) - net-print/hplip <2.8.5 DoS (CVE-2008-2940,CVE-2008-2941)
Summary: net-print/hplip <2.8.5 DoS (CVE-2008-2940,CVE-2008-2941)
Status: RESOLVED FIXED
Alias: CVE-2008-2940
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://rhn.redhat.com/errata/RHSA-200...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 233968
Blocks:
  Show dependency tree
 
Reported: 2008-08-05 10:50 UTC by Robert Buchholz (RETIRED)
Modified: 2008-11-30 18:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-05 10:50:40 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Marc Schoenefeld of the Red Hat Security Response Team reported the following vulnerabilities:
[CVE-2008-2940] hpssd of hplip allows unprivileged
user to trigger alert mail
[CVE-2008-2941] hplip hpssd.py Denial-Of-Service
parsing vulnerability

The code in 2.8.4 has replaced hpssd with another daemon, that does not seem to suffer from these vulnerabilities.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-05 10:52:38 UTC
Denis, are you ok with me opening a public bug for regular stabilization of =net-print/hplip-2.8.5 ? If you want to do so yourself, please mark it as a blocker of this bug.
Comment 2 Denis Dupeyron (RETIRED) gentoo-dev 2008-08-05 11:55:02 UTC
(In reply to comment #1)
> Denis, are you ok with me opening a public bug for regular stabilization of
> =net-print/hplip-2.8.5 ? If you want to do so yourself, please mark it as a
> blocker of this bug.

You can go ahead. However I would much prefer we stabilize 2.8.6b instead. It's a bit fresh but the ebuild and the package itself fix a lot of bugs and add a lot of printers. Also upstream is of above average quality. If it's OK with everybody I'm ready to pick up the pieces in case something breaks.

Denis.
Comment 3 Denis Dupeyron (RETIRED) gentoo-dev 2008-08-05 12:12:13 UTC
Hold on, I'll do it because there's an issue with a dropped keyword.

Denis.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-08-05 14:15:21 UTC
Arch Security Liaisons:
 Please make sure =net-print/hplip-2.8.6b is getting stable on your arch due
 in bug 233968.


Target keywords : "amd64 ppc ppc64 x86"

CC'ing current Liaisons:
   amd64 : keytoaster
     ppc : dertobi123
   ppc64 : corsair
     x86 : tsunam
Comment 5 Denis Dupeyron (RETIRED) gentoo-dev 2008-08-06 10:59:49 UTC
There are a few stabilizations required to fix this, and even one keywording. I have created all the necessary bugs and set them as blockers of #233968 (see dep graph).

Please security liaisons, make sure you go through all of them.

Thanks in advance,
Denis.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-08-06 13:02:51 UTC
Adding maekke for x86
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 08:59:03 UTC
Public via $URL, all stable.

CVE-2008-2940:
         The alert-mailing implementation in HP Linux Imaging and Printing
         (HPLIP) 1.6.7 allows local users to gain privileges and send e-mail
         messages from the root account via vectors related to the setalerts
         message, and lack of validation of the device URI associated with an
         event message.
CVE-2008-2941:
         The hpssd message parser in hpssd.py in HP Linux Imaging and Printing
         (HPLIP) 1.6.7 allows local users to cause a denial of service (process
         stop) via a crafted packet, as demonstrated by sending "msg=0" to TCP
         port 2207.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 09:01:22 UTC
Calchan, can you clarify: Does this daemon run on clients with HP printers attached, or is it also used on remote printing servers?
Comment 9 Denis Dupeyron (RETIRED) gentoo-dev 2008-08-15 10:25:41 UTC
(In reply to comment #8)
> Calchan, can you clarify: Does this daemon run on clients with HP printers
> attached, or is it also used on remote printing servers?

I know it's mandatory for fax and optional for other features. I'm going to investigate if it's used in all cases in our installs.

Denis.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-22 12:44:11 UTC
Calchan: Ping, any news on your investigation?
Comment 11 Denis Dupeyron (RETIRED) gentoo-dev 2008-09-22 12:57:33 UTC
(In reply to comment #10)
> Calchan: Ping, any news on your investigation?

Yes. Sorry I answered Robert in private at the time. The answer is that it can be used for both servers and clients depending on the situation.

All work was done there though, and this bug should be closed. I let the security team decide when they want to do so as they opened it and own it. Today all versions of hplip in the tree are safe regarding this bug.

Denis.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:12:25 UTC
Let's close this NOGLSA.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-30 18:25:39 UTC
Okay.