HPLIP

CVE-2008-2940 hpssd of hplip allows unprivileged user to trigger alert mail

Bug #273370 reported by Mark Purcell on 2008-09-22

258

This bug affects 1 person

	Status	Importance	Assigned to
HPLIP	Fix Released	Medium	dwelch91
hplip (Debian)	Fix Released	Unknown	debbugs #499842
hplip (Fedora)	Fix Released	Medium	redhat-bugs #455235

Bug Description

Request confirmation that these two CVE's (hplip 1.6.7) are fixed in the current hplip and if so which version of hplip were they fixed in.

hpssd was replaced by hp-systray in 2.8.4, but was the code fixed?

CVE-2008-2940
The alert-mailing implementation in HP Linux Imaging and Printing (HPLIP) 1.6.7 allows local users to gain privileges and send e-mail messages from the root account via vectors related to the setalerts message, and lack of validation of the device URI associated with an event message.

CVE-2008-2941
The hpssd message parser in hpssd.py in HP Linux Imaging and Printing (HPLIP) 1.6.7 allows local users to cause a denial of service (process stop) via a crafted packet, as demonstrated by sending "msg=0" to TCP port 2207.

CVE References

Revision history for this message

In Red Hat Bugzilla #455235, Marc (marc-redhat-bugs-1) wrote on 2008-07-14:

==Description==

hpssd allows unprivileged local users to trigger alert mails
by sending specially crafted packets

Revision history for this message

In Red Hat Bugzilla #455235, Tim (tim-redhat-bugs) wrote on 2008-07-29:

Created attachment 312878
hplip-validate-uri.patch

This is the first of two patches to address this problem. This patch performs
validation on the device URI when handling an 'event' message, and improves the
validation code.

Revision history for this message

In Red Hat Bugzilla #455235, Tim (tim-redhat-bugs) wrote on 2008-07-29:

Created attachment 312880
hplip-static-alerts-table.patch

This is the second patch, which implements a static alerts table, stored in
/etc/hp/alerts.conf. The 'setalerts' message now has no effect.

Revision history for this message

In Red Hat Bugzilla #455235, Josh (josh-redhat-bugs) wrote on 2008-08-12:

Lifting embargo

Revision history for this message

In Red Hat Bugzilla #455235, Red (red-redhat-bugs) wrote on 2008-09-11:

This issue was addressed in:

Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2008-0818.html

Bug Watch Updater (bug-watch-updater) on 2008-09-22

Changed in hplip:
status:	Unknown → Fix Released

Bug Watch Updater (bug-watch-updater) on 2008-09-23

Changed in hplip:
status:	Unknown → New

Bug Watch Updater (bug-watch-updater) on 2008-10-04

Changed in hplip:
status:	New → Confirmed

Revision history for this message

dwelch91 (dwelch91) wrote on 2008-11-18:

CVE-2008-2940 (email alerts) - this feature was removed from HPLIP in a previous release. I will have to research the exact version.

CVE-2008-2941 (DOS) - the message passing system over sockets was replaced with DBus in a previous release. I will have to research the exact version.

Aaron Albright (albrigha-deactivatedaccount) on 2008-11-18

Changed in hplip:
assignee:	nobody → dwelch91
status:	New → Triaged
importance:	Undecided → Medium

Aaron Albright (albrigha-deactivatedaccount) on 2009-05-21

Changed in hplip:
status:	Triaged → Fix Released

Bug Watch Updater (bug-watch-updater) on 2010-05-21

Changed in hplip (Debian):
status:	Confirmed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2017-10-26

Changed in hplip (Fedora):
importance:	Unknown → Medium

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #499842
[done important fixed-upstream security] Edit
redhat-bugs #455235
[CLOSED ERRATA] Edit

Bug watches keep track of this bug in other bug trackers.