Date: Sun, 23 Nov 2008 23:22:21 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: bug-followup@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org Cc: freebsd-security@freebsd.org Subject: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941 Message-ID: <6rQsez7wYkguGr%2BAMLr6LWOVTxk@iXA9ZWPrtc2I2BMzBXoToMd7YdQ> In-Reply-To: <200811231850.mANIo09F042711@freefall.freebsd.org> References: <20081123184449.6801AF181D@phoenix.codelabs.ru> <200811231850.mANIo09F042711@freefall.freebsd.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
Martin Wilke asked me if I am planning to update the port. My original
intention was to wait for a 2.8.10 (I am aware of ports/128914, but, to
my regret, it contains no patch now), but as the quick fix I had ported
RedHat's patches to the current port version.
Please note that the handling of alerts had been changed: now all alert
configuration is stored in /etc/hp/alers.conf and isn't
user-controllable anymore.
And I had to mention that whilst I had tested the port for building
and daemon for starting properly, I have no real hardware to test the
thing. So maintainer's testing is needed.
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #
[-- Attachment #2 --]
From e8f2e991adcde572e1c08951c9b973ca6759455f Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sun, 23 Nov 2008 23:02:17 +0300
Subject: [PATCH] print/hplip: apply fixes for CVE-2008-2940 and CVE-2008-2941
Fix for CVE-2008-2940 was taken from [1] and was slightly modified
to match the current code.
Fix for CVE-2008-2941 was written by hand, but was based on the patch
from [2]. Note, that the mentioned patch fragility sits in the fact
that the parsed values can represent string, integer, etc and this is
user-controllable, but their values are manipulated as they are always
strings, numbers, etc. So daemon gets some exceptions that he is not
prepared to handle and dies.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=455235
[2] https://bugzilla.redhat.com/show_bug.cgi?id=457052
Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
print/hplip/Makefile | 2 +-
print/hplip/files/patch-CVE-2008-2940 | 74 ++++++++++++
print/hplip/files/patch-CVE-2008-2941 | 210 +++++++++++++++++++++++++++++++++
3 files changed, 285 insertions(+), 1 deletions(-)
create mode 100644 print/hplip/files/patch-CVE-2008-2940
create mode 100644 print/hplip/files/patch-CVE-2008-2941
diff --git a/print/hplip/Makefile b/print/hplip/Makefile
index 9845d37..683b285 100644
--- a/print/hplip/Makefile
+++ b/print/hplip/Makefile
@@ -7,7 +7,7 @@
PORTNAME= hplip
PORTVERSION= 2.8.2
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= print
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= hplip
diff --git a/print/hplip/files/patch-CVE-2008-2940 b/print/hplip/files/patch-CVE-2008-2940
new file mode 100644
index 0000000..dbe14fa
--- /dev/null
+++ b/print/hplip/files/patch-CVE-2008-2940
@@ -0,0 +1,74 @@
+Patch for CVE-2008-2940
+
+Please note that alerts are now system-wide and they live in
+/etc/hp/alerts.conf
+
+See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2940
+Obtained from: https://bugzilla.redhat.com/attachment.cgi?id=312878
+Obtained from: https://bugzilla.redhat.com/attachment.cgi?id=312880
+
+diff -up hplip-1.6.7/hpssd.py.validate-uri hplip-1.6.7/hpssd.py
+--- hpssd.py.validate-uri 2008-07-29 12:48:28.000000000 +0100
++++ hpssd.py 2008-07-29 13:41:29.000000000 +0100
+@@ -1021,6 +1021,9 @@ class hpssd_handler(dispatcher):
+ event_type = self.fields.get('event-type', 'event')
+ event_code = self.fields.get('event-code', 0)
+ device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:')
++ result_code = self.__checkdevice(device_uri)
++ if result_code != ERROR_SUCCESS:
++ return
+ log.debug("Device URI: %s" % device_uri)
+
+ try:
+diff -up hplip-1.6.7/base/g.py.static-alerts-table hplip-1.6.7/base/g.py
+--- base/g.py.orig 2008-01-18 02:10:29.000000000 +0300
++++ base/g.py 2008-11-23 22:39:11.000000000 +0300
+@@ -134,6 +134,7 @@
+ # Config file: directories and ports
+ prop.sys_config_file = '/etc/hp/hplip.conf'
+ prop.user_dir = os.path.expanduser('~/.hplip')
++prop.alerts_config_file = '/etc/hp/alerts.conf'
+
+ os.umask(0037)
+ try:
+@@ -154,6 +155,7 @@
+
+ sys_cfg = Config(prop.sys_config_file, True)
+ user_cfg = Config(prop.user_config_file)
++alerts_cfg = Config(prop.alerts_config_file)
+
+
+ # Language settings
+diff -up hplip-1.6.7/hpssd.py.static-alerts-table hplip-1.6.7/hpssd.py
+--- hpssd.py.static-alerts-table 2008-07-29 14:57:04.000000000 +0100
++++ hpssd.py 2008-07-29 15:22:15.000000000 +0100
+@@ -71,6 +71,12 @@ from prnt import cups
+
+ # Per user alert settings
+ alerts = {}
++for user, cfg in alerts_cfg.iteritems ():
++ entry = {}
++ entry['email-alerts'] = utils.to_bool (cfg.get('email-alerts', 0))
++ entry['email-from-address'] = cfg.get('email-from-address', '')
++ entry['email-to-addresses'] = cfg.get('email-to-addresses', '')
++ alerts[user] = entry
+
+ # Fax temp files
+ fax_file = {}
+@@ -803,15 +809,10 @@ class hpssd_handler(dispatcher):
+ self.out_buffer = buildResultMessage('InjectValueResult', None, result_code)
+
+
+- # TODO: Need to load alerts at start-up
+ def handle_setalerts(self):
+ result_code = ERROR_SUCCESS
+- username = self.fields.get('username', '')
+
+- alerts[username] = {'email-alerts' : utils.to_bool(self.fields.get('email-alerts', '0')),
+- 'email-from-address' : self.fields.get('email-from-address', ''),
+- 'email-to-addresses' : self.fields.get('email-to-addresses', ''),
+- }
++ # Do nothing. We use the alerts table in /etc/hp/alerts.conf.
+
+ self.out_buffer = buildResultMessage('SetAlertsResult', None, result_code)
+
diff --git a/print/hplip/files/patch-CVE-2008-2941 b/print/hplip/files/patch-CVE-2008-2941
new file mode 100644
index 0000000..f4bb8ee
--- /dev/null
+++ b/print/hplip/files/patch-CVE-2008-2941
@@ -0,0 +1,210 @@
+Patch for CVE-2008-2941
+
+Fixes parser fragility: original code expects only strings or numbers as
+the input values, but not both. And hpssd client has the full control
+on the input data, so when number is tried to be transformed as string
+(by calling lower() method, for example) the unhandled exception
+terminates the daemon.
+
+Based on: https://bugzilla.redhat.com/attachment.cgi?id=312881
+
+--- hpssd.py.orig 2008-11-23 22:41:08.000000000 +0300
++++ hpssd.py 2008-11-23 22:57:51.000000000 +0300
+@@ -203,7 +203,7 @@
+ log.debug(self.out_buffer)
+ return True
+
+- msg_type = self.fields.get('msg', 'unknown').lower()
++ msg_type = str(self.fields.get('msg', 'unknown')).lower()
+ log.debug("Handling: %s %s %s" % ("*"*20, msg_type, "*"*20))
+ log.debug(repr(self.in_buffer))
+
+@@ -260,9 +260,9 @@
+
+
+ def handle_getvalue(self):
+- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:')
++ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:')
+ value = ''
+- key = self.fields.get('key', '')
++ key = str(self.fields.get('key', ''))
+ result_code = self.__checkdevice(device_uri)
+
+ if result_code == ERROR_SUCCESS:
+@@ -274,9 +274,9 @@
+ self.out_buffer = buildResultMessage('GetValueResult', value, result_code)
+
+ def handle_setvalue(self):
+- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:')
+- key = self.fields.get('key', '')
+- value = self.fields.get('value', '')
++ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:')
++ key = str(self.fields.get('key', ''))
++ value = str(self.fields.get('value', ''))
+ result_code = self.__checkdevice(device_uri)
+
+ if result_code == ERROR_SUCCESS:
+@@ -285,7 +285,7 @@
+ self.out_buffer = buildResultMessage('SetValueResult', None, ERROR_SUCCESS)
+
+ def handle_queryhistory(self):
+- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:')
++ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:')
+ payload = ''
+ result_code = self.__checkdevice(device_uri)
+
+@@ -305,8 +305,8 @@
+
+ # EVENT
+ def handle_registerguievent(self):
+- username = self.fields.get('username', '')
+- typ = self.fields.get('type', 'unknown')
++ username = str(self.fields.get('username', ''))
++ typ = str(self.fields.get('type', 'unknown'))
+ self.typ = typ
+ self.username = username
+ self.send_events = True
+@@ -314,13 +314,13 @@
+
+ # EVENT
+ def handle_unregisterguievent(self):
+- username = self.fields.get('username', '')
++ username = str(self.fields.get('username', ''))
+ self.send_events = False
+
+
+ def handle_test_email(self):
+ result_code = ERROR_SUCCESS
+- username = self.fields.get('username', prop.username)
++ username = str(self.fields.get('username', prop.username))
+ message = device.queryString('email_test_message')
+ subject = device.queryString('email_test_subject')
+ result_code = self.sendEmail(username, subject, message, True)
+@@ -343,11 +343,14 @@
+
+ # sent by hpfax: to indicate the start of a complete fax rendering job
+ def handle_hpfaxbegin(self):
+- username = self.fields.get('username', prop.username)
+- job_id = self.fields.get('job-id', 0)
+- printer_name = self.fields.get('printer', '')
+- device_uri = self.fields.get('device-uri', '').replace('hp:', 'hpfax:')
+- title = self.fields.get('title', '')
++ username = str(self.fields.get('username', prop.username))
++ try:
++ job_id = int(self.fields.get('job-id', 0))
++ except ValueError:
++ job_id = 0
++ printer_name = str(self.fields.get('printer', ''))
++ device_uri = str(self.fields.get('device-uri', '')).replace('hp:', 'hpfax:')
++ title = str(self.fields.get('title', ''))
+
+ log.debug("Creating data store for %s:%d" % (username, job_id))
+ fax_file[(username, job_id)] = tempfile.NamedTemporaryFile(prefix="hpfax")
+@@ -360,8 +363,11 @@
+
+ # sent by hpfax: to transfer completed fax rendering data
+ def handle_hpfaxdata(self):
+- username = self.fields.get('username', prop.username)
+- job_id = self.fields.get('job-id', 0)
++ username = str(self.fields.get('username', prop.username))
++ try:
++ job_id = int(self.fields.get('job-id', 0))
++ except ValueError:
++ job_id = 0
+
+ if self.payload and (username, job_id) in fax_file and \
+ not fax_file_ready[(username, job_id)]:
+@@ -373,12 +379,18 @@
+
+ # sent by hpfax: to indicate the end of a complete fax rendering job
+ def handle_hpfaxend(self):
+- username = self.fields.get('username', '')
+- job_id = self.fields.get('job-id', 0)
+- printer_name = self.fields.get('printer', '')
+- device_uri = self.fields.get('device-uri', '').replace('hp:', 'hpfax:')
+- title = self.fields.get('title', '')
+- job_size = self.fields.get('job-size', 0)
++ username = str(self.fields.get('username', ''))
++ try:
++ job_id = int(self.fields.get('job-id', 0))
++ except ValueError:
++ job_id = 0
++ printer_name = str(self.fields.get('printer', ''))
++ device_uri = str(self.fields.get('device-uri', '')).replace('hp:', 'hpfax:')
++ title = str(self.fields.get('title', ''))
++ try:
++ job_size = int(self.fields.get('job-size', 0))
++ except ValueError:
++ job_size = 0
+
+ fax_file[(username, job_id)].seek(0)
+ fax_file_ready[(username, job_id)] = True
+@@ -389,7 +401,7 @@
+
+ # sent by hp-sendfax to see if any faxes have been printed and need to be picked up
+ def handle_faxcheck(self):
+- username = self.fields.get('username', '')
++ username = str(self.fields.get('username', ''))
+ result_code = ERROR_NO_DATA_AVAILABLE
+ other_fields = {}
+
+@@ -413,8 +425,11 @@
+ # after being run with --job param, both after a hpfaxend message
+ def handle_faxgetdata(self):
+ result_code = ERROR_SUCCESS
+- username = self.fields.get('username', '')
+- job_id = self.fields.get('job-id', 0)
++ username = str(self.fields.get('username', ''))
++ try:
++ job_id = int(self.fields.get('job-id', 0))
++ except ValueError:
++ job_id = 0
+
+ try:
+ fax_file[(username, job_id)]
+@@ -442,15 +457,18 @@
+ # EVENT
+ def handle_event(self):
+ gui_port, gui_host = None, None
+- event_type = self.fields.get('event-type', 'event')
++ event_type = str(self.fields.get('event-type', 'event'))
+
+- event_code = self.fields.get('event-code', STATUS_PRINTER_IDLE)
++ try:
++ event_code = int(self.fields.get('event-code', STATUS_PRINTER_IDLE))
++ except ValueError:
++ event_code = STATUS_PRINTER_IDLE
+
+ # If event-code > 10001, its a PJL error code, so convert it
+ if event_code > EVENT_MAX_EVENT:
+ event_code = status.MapPJLErrorCode(event_code)
+
+- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:')
++ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:')
+ result_code = self.__checkdevice(device_uri)
+ if result_code != ERROR_SUCCESS:
+ return
+@@ -461,7 +479,10 @@
+
+ log.debug("Short/Long: %s/%s" % (error_string_short, error_string_long))
+
+- job_id = self.fields.get('job-id', 0)
++ try:
++ job_id = int(self.fields.get('job-id', 0))
++ except ValueError:
++ job_id = 0
+
+ try:
+ username = self.fields['username']
+@@ -480,7 +501,10 @@
+
+ no_fwd = utils.to_bool(self.fields.get('no-fwd', '0'))
+ log.debug("Username (jobid): %s (%d)" % (username, job_id))
+- retry_timeout = self.fields.get('retry-timeout', 0)
++ try:
++ retry_timeout = int(self.fields.get('retry-timeout', 0))
++ except ValueError:
++ retry_timeout = 0
+ user_alerts = alerts.get(username, {})
+
+ dup_event = False
--
1.6.0.4
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6rQsez7wYkguGr%2BAMLr6LWOVTxk>