From owner-freebsd-security@FreeBSD.ORG Sun Nov 23 18:44:53 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F03D106564A; Sun, 23 Nov 2008 18:44:53 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C2D598FC12; Sun, 23 Nov 2008 18:44:52 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:To:Subject:From:Reply-To:Cc:X-send-pr-version:X-GNATS-Notify:Message-Id:Date; b=TLJBP9dijEYjQVAz/uAwLr9dqOkBNjAbw5dF2jFCREKVih3d+03MiWpEu8UAr28wDj7kCdo4kVRFxY526+HOgfe0c54qLA/Jqy1KoiwDMIBlFWmdSrdddqi+LbnOJsbvi1Av5faMS045XZEG+Q354EFaLzFDglzXmco1gpTwK1U=; Received: from phoenix.codelabs.ru (ppp83-237-105-112.pppoe.mtu-net.ru [83.237.105.112]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L4Jww-000AJF-G0; Sun, 23 Nov 2008 21:44:50 +0300 To: FreeBSD-gnats-submit@freebsd.org From: Eygene Ryabinkin X-send-pr-version: 3.113 X-GNATS-Notify: amistry@am-productions.biz, tabthorpe@freebsd.org Message-Id: <20081123184449.6801AF181D@phoenix.codelabs.ru> Date: Sun, 23 Nov 2008 21:44:49 +0300 (MSK) Cc: freebsd-security@freebsd.org Subject: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 18:44:53 -0000 >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941 >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Multiple vulnerabilities were discovered in the hplip 1.6.7 [1]. I had analyzed RedHat patches [2] and [3]: first two (CVE-2008-2940) apply "as-is" to FreeBSD's port (2.8.2_2) and the second one (CVE-2008-2941) contains many fixes to the code that exists in 2.8.2_2 too. So, I am counting current FreeBSD port as vulnerable to both attacks. Moreover, I had traced the vulnerabilities through the release sources: proper device_uri handling was introduced in 2.8.4 and parser fragility in hpssd.py was eliminated in the same version, because hpssd was converted to a systray application. So, 2.8.4 and higher should not be vulnerable to the described attacks. [1] http://www.securityfocus.com/bid/30683 [2] https://bugzilla.redhat.com/show_bug.cgi?id=455235 [3] https://bugzilla.redhat.com/show_bug.cgi?id=457052 >How-To-Repeat: Look at the above references. >Fix: The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- hplip -- multiple vulnerabilities in hpssd component hplip 2.8.4

SecurityFocus database says:

HP Linux Imaging and Printing System (HPLIP) is prone to multiple vulnerabilities, including privilege-escalation and denial-of-service issues.

Exploiting the privilege-escalation vulnerability may allow attackers to perform certain actions with elevated privileges. Successful exploits of the denial-of-service issue will cause the 'hpssd' process to crash, denying service to legitimate users.

These issues affect HPLIP 1.6.7; other versions may also be affected.

 CVE-2008-2940 CVE-2008-2941 30683 https://bugzilla.redhat.com/show_bug.cgi?id=457052 https://bugzilla.redhat.com/show_bug.cgi?id=455235 2008-08-12 --- vuln.xml ends here ---