Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 04 Dec 2013 21:49:16 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: mmcallis@...hat.com, oss-security@...ts.openwall.com
CC: meissner@...e.de, Kurt Seifried <kseifrie@...hat.com>
Subject: Re: CVE needed for hplip insecure auto update feature?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/04/2013 09:02 PM, Murray McAllister wrote:
> Hello,
> 
> https://bugzilla.novell.com/show_bug.cgi?id=853405 talks about an 
> upgrade feature in hplip downloading (via HTTP) a binary and
> executing it. Is a CVE needed for that?
> 
> Along with the versions in 
> <https://bugzilla.novell.com/show_bug.cgi?id=853405#c6>, the hplip
> 1.6.7 and hplip3 3.9.8 versions I looked at did not have the
> upgrade.py file in the source (newer version like 3.13.11 had it in
> the source but the RPM spec file looks to remove it at build time,
> so it is not provided in the binary RPMs).
> 
> Thanks,
> 
> -- Murray McAllister / Red Hat Security Response Team
> 

I'm going to say this deserves a CVE due to the following factors:

1) the default is insane:
if HPLIP_PATH is None:
url="http://sourceforge.net/projects/hplip/files/hplip/%s/hplip-%s.run/download"

2) A google search for "HPLIP_PATH" yields 6 results. _6_. This is not
documented anywhere I can find.

3) I checked the source code:

[kseifrie@...alhost hplip-3.13.9]$ find ./ -type f  | xargs grep
HPLIP_PATH
./upgrade.py:HPLIP_PATH=None
./upgrade.py:        HPLIP_PATH=a
./upgrade.py:        if HPLIP_PATH is not None:
./upgrade.py:            if os.path.exists(HPLIP_PATH):
./upgrade.py:                download_file = HPLIP_PATH
./upgrade.py:                log.error("%s file is not present.
Downloading from Net..." %HPLIP_PATH)
./upgrade.py:                HPLIP_PATH = None
./upgrade.py:        if HPLIP_PATH is None:

Again no documents. Not even a hint (e.g. --help listing command line
options)


Definitely CVE worthy. Please use CVE-2013-6427  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSoAXLAAoJEBYNRVNeJnmT+lgP/AhuTFQmKuiOV6S21CzTAXdw
yFdu1P5K/vd6GyxyKKK45yt1wb73CISXVn9oGQEG3Zdpf5wFLrTG7H7wltAz+867
lngeBhdF3IdYCe2w2eMM7kQGtDxny1Qa2eS1Xa+3l4vihsFoSS8z9Rbytn8ay4nQ
tYrfWlJaMn3XZEx4U846E/7HTbi+/K4LTT4UDww5lKfhVR8QEBhy5IN4/Ols61Jn
9Ditz0hyZfn4NQa91CIv6HGLsv2FBhm8dgH1rHZ5gUcyjuNvWWHG+m+8becv0Jdr
n+bB5NUdqyJKeD8FWPRq7EmO4QSsOIX+HamAi+PmT8KkB9/rNhYfSHu+u2WGDjRj
HY/+QdvCHphU5Lc176aAnSwwt6rs8I+saxjG3bibI921+Kj7U2ATUFAWEmG99fq6
tbFMRaUtAGtHuqZ3RODic5iBib5AUqU/ElyJxqDnxrlmgeT7+NBQUaEYWzsJasYV
SeCju0UvCSS3pM/aXojv26k2EeXGH7yBrHstCgK9SCq9QK5qr0joGbLQxj2LgLRl
CNE0cuV+zcOVCLw3iNv6/ScvSJZ7XoJXFlyKLgoQ7xn1W9gGfiVpis3PG4HOR3mi
syfDDt8xwCWYRTrYh1vu2eLR4ZiPcit41+d7yKBH3Ki2FGWwZgQJ/1UPWmH/If0G
ZVFYJfBrO9VWQmUSyh2r
=f8h2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ