Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <52A005CC.8040702@redhat.com>
Date: Wed, 04 Dec 2013 21:49:16 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: mmcallis@...hat.com, oss-security@...ts.openwall.com
CC: meissner@...e.de, Kurt Seifried <kseifrie@...hat.com>
Subject: Re: CVE needed for hplip insecure auto update feature?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/04/2013 09:02 PM, Murray McAllister wrote:
> Hello,
> 
> https://bugzilla.novell.com/show_bug.cgi?id=853405 talks about an 
> upgrade feature in hplip downloading (via HTTP) a binary and
> executing it. Is a CVE needed for that?
> 
> Along with the versions in 
> <https://bugzilla.novell.com/show_bug.cgi?id=853405#c6>, the hplip
> 1.6.7 and hplip3 3.9.8 versions I looked at did not have the
> upgrade.py file in the source (newer version like 3.13.11 had it in
> the source but the RPM spec file looks to remove it at build time,
> so it is not provided in the binary RPMs).
> 
> Thanks,
> 
> -- Murray McAllister / Red Hat Security Response Team
> 

I'm going to say this deserves a CVE due to the following factors:

1) the default is insane:
if HPLIP_PATH is None:
url="http://sourceforge.net/projects/hplip/files/hplip/%s/hplip-%s.run/download"

2) A google search for "HPLIP_PATH" yields 6 results. _6_. This is not
documented anywhere I can find.

3) I checked the source code:

[kseifrie@...alhost hplip-3.13.9]$ find ./ -type f  | xargs grep
HPLIP_PATH
./upgrade.py:HPLIP_PATH=None
./upgrade.py:        HPLIP_PATH=a
./upgrade.py:        if HPLIP_PATH is not None:
./upgrade.py:            if os.path.exists(HPLIP_PATH):
./upgrade.py:                download_file = HPLIP_PATH
./upgrade.py:                log.error("%s file is not present.
Downloading from Net..." %HPLIP_PATH)
./upgrade.py:                HPLIP_PATH = None
./upgrade.py:        if HPLIP_PATH is None:

Again no documents. Not even a hint (e.g. --help listing command line
options)


Definitely CVE worthy. Please use CVE-2013-6427  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSoAXLAAoJEBYNRVNeJnmT+lgP/AhuTFQmKuiOV6S21CzTAXdw
yFdu1P5K/vd6GyxyKKK45yt1wb73CISXVn9oGQEG3Zdpf5wFLrTG7H7wltAz+867
lngeBhdF3IdYCe2w2eMM7kQGtDxny1Qa2eS1Xa+3l4vihsFoSS8z9Rbytn8ay4nQ
tYrfWlJaMn3XZEx4U846E/7HTbi+/K4LTT4UDww5lKfhVR8QEBhy5IN4/Ols61Jn
9Ditz0hyZfn4NQa91CIv6HGLsv2FBhm8dgH1rHZ5gUcyjuNvWWHG+m+8becv0Jdr
n+bB5NUdqyJKeD8FWPRq7EmO4QSsOIX+HamAi+PmT8KkB9/rNhYfSHu+u2WGDjRj
HY/+QdvCHphU5Lc176aAnSwwt6rs8I+saxjG3bibI921+Kj7U2ATUFAWEmG99fq6
tbFMRaUtAGtHuqZ3RODic5iBib5AUqU/ElyJxqDnxrlmgeT7+NBQUaEYWzsJasYV
SeCju0UvCSS3pM/aXojv26k2EeXGH7yBrHstCgK9SCq9QK5qr0joGbLQxj2LgLRl
CNE0cuV+zcOVCLw3iNv6/ScvSJZ7XoJXFlyKLgoQ7xn1W9gGfiVpis3PG4HOR3mi
syfDDt8xwCWYRTrYh1vu2eLR4ZiPcit41+d7yKBH3Ki2FGWwZgQJ/1UPWmH/If0G
ZVFYJfBrO9VWQmUSyh2r
=f8h2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.